CVE-2022-0512
Authorization Bypass vulnerability in url-parse (npm)
What is CVE-2022-0512 About?
This vulnerability is an Authorization Bypass Through User-Controlled Key in NPM `url-parse` prior to version 1.5.6. It allows an attacker to manipulate keys to circumvent access controls. Exploitation is likely straightforward for an attacker who can control input affecting key resolution.
Affected Software
Technical Details
The url-parse library, specifically versions prior to 1.5.6, is vulnerable to an authorization bypass when an attacker can control the 'key' component used in authorization decisions. This could manifest if the url-parse library processes a URL where a critical 'key' (e.g., a query parameter acting as an authorization token, an API key, or a component of a resource identifier used in access control checks) can be manipulated by the user. If the parsing logic, or the subsequent authorization mechanism, incorrectly interprets or normalizes a user-supplied 'key' due to inconsistencies in how url-parse handles various URL components, an attacker could craft a specially malformed URL. This malformed URL would be parsed in a way that allows the attacker to bypass authorization strictures, gaining unauthorized access to resources or functionalities.
What is the Impact of CVE-2022-0512?
Successful exploitation may allow attackers to bypass authorization checks, leading to unauthorized access to resources or elevated privileges.
What is the Exploitability of CVE-2022-0512?
Exploitation of this Authorization Bypass vulnerability would likely be of medium complexity. An attacker needs to craft specific URLs that leverage the flaw in how url-parse processes user-controlled keys. The necessity of prior authentication or specific privileges would depend on where the vulnerable URL parsing occurs within the application's authentication/authorization flow. This is a remote vulnerability, as it involves URL parsing, typically from network requests. The main prerequisite is that the application uses the vulnerable url-parse library and relies on a user-controlled 'key' derived from a URL for authorization decisions, where the parsing flaw can be leveraged. Risk factors include applications that use url-parse to construct or validate URLs for access control policies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0512?
About the Fix from Resolved Security
The patch corrects parsing and encoding of userinfo in URLs so that @ and : characters in usernames and passwords are handled safely, ensuring they are percent-encoded and not mistaken for URL structure delimiters. This mitigates CVE-2022-0512 by preventing confusion between the actual userinfo and host portions of a URL, which could have led to incorrect authentication handling or host spoofing vulnerabilities.
Available Upgrade Options
- url-parse
- <1.5.6 → Upgrade to 1.5.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40
- https://nvd.nist.gov/vuln/detail/CVE-2022-0512
- https://osv.dev/vulnerability/GHSA-rqff-837h-mm52
- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40
- https://github.com/unshiftio/url-parse
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
What are Similar Vulnerabilities to CVE-2022-0512?
Similar Vulnerabilities: CVE-2021-31684 , CVE-2021-32640 , CVE-2021-33514 , CVE-2022-23508 , CVE-2020-13936
