CVE-2022-0122
Improper Input Validation vulnerability in node-forge (npm)
What is CVE-2022-0122 About?
This vulnerability involves improper input validation in the `parseUrl` functionality of node-forge, where specific backslash sequences are mishandled, leading to the URI being interpreted as a relative path. This misinterpretation can have security implications, depending on how the parsed URI is subsequently used by the application, potentially allowing path traversal or other attacks. The exploitation difficulty depends on the application's use of the parsed URI.
Affected Software
Technical Details
The parseUrl functionality within the node-forge library contains a flaw where it incorrectly parses URIs that include certain uses of backslashes, such as https:/\/\/\. Instead of correctly identifying the schema and absolute path, the parser misinterprets these backslash sequences, leading to the URI being processed as a relative path. This parsing error can subvert security controls that rely on correct URI interpretation (e.g., origin checks, domain whitelisting), potentially allowing an attacker to bypass these checks if the application uses the misparsed relative path in a sensitive operation like loading resources or making requests.
What is the Impact of CVE-2022-0122?
Successful exploitation may allow attackers to bypass security checks that rely on accurate URI parsing, lead to incorrect resource loading, or enable path traversal, potentially compromising data integrity or system access.
What is the Exploitability of CVE-2022-0122?
Exploitation of this vulnerability requires submitting a specially crafted URL containing specific backslash patterns to an application using the vulnerable parseUrl functionality of node-forge. The complexity is moderate, as it requires understanding the parsing logic and how an application uses the parsed output. No specific authentication or high privileges are typically required at the point of inputting the URL. This is generally a remote access vulnerability, as the attacker interacts with the application's URL processing. Special conditions include the application's reliance on the parseUrl output for security-sensitive operations. Risk factors increasing exploitation likelihood include applications that process user-supplied URLs without secondary validation or that perform actions based solely on the parseUrl output.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0122?
About the Fix from Resolved Security
Available Upgrade Options
- node-forge
- <1.0.0 → Upgrade to 1.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8fr3-hfg3-gpgp
- https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e
- https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae
- https://github.com/digitalbazaar/forge
- https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae
- https://nvd.nist.gov/vuln/detail/CVE-2022-0122
- https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e
What are Similar Vulnerabilities to CVE-2022-0122?
Similar Vulnerabilities: CVE-2021-41180 , CVE-2018-1000676 , CVE-2017-1000373 , CVE-2016-10767 , CVE-2015-8857
