CVE-2022-0613
Bypass vulnerability in urijs (npm)
What is CVE-2022-0613 About?
This vulnerability allows an attacker to bypass a security patch for CVE-2021-3647 by using case-insensitive protocol schemes. By varying the case of the protocol, the attacker can circumvent restrictions meant to prevent certain actions. Exploitation is straightforward, requiring only knowledge of the bypass method.
Affected Software
Technical Details
The vulnerability leverages an oversight in the patch implemented for CVE-2021-3647. The original patch likely relied on a case-sensitive comparison of protocol schemes (e.g., 'HTTP'). However, an attacker can bypass this protection by providing a protocol scheme with varying case, such as 'htTP', 'HTTP', or 'HtTP'. If the underlying system or filtering mechanism processes these case-variant schemes identically to the standard ones without proper normalization or case-insensitive matching in its security checks, the attacker can effectively trick the system into treating the malformed scheme as a legitimate one, thereby circumventing the intended security control. This allows actions or resource access that the original patch aimed to prevent.
What is the Impact of CVE-2022-0613?
Successful exploitation may allow attackers to bypass existing security controls and restrictions, leading to unauthorized access, privilege escalation, or further attacks that the original patch intended to prevent.
What is the Exploitability of CVE-2022-0613?
Exploitation of this bypass vulnerability is low to medium complexity, depending on the context of CVE-2021-3647. An attacker simply needs to submit URLs or inputs with case-insensitive protocol schemes. There are no explicit authentication or privilege requirements mentioned, as it primarily subverts an existing security check. This is typically a remote vulnerability if the original vulnerability involved web-based input. The prerequisite is that the system implementing the patch for CVE-2021-3647 does not properly normalize or handle case-insensitivity for protocol schemes during its validation. Risk factors include applications that process URLs or protocol-prefixed strings from untrusted sources without robust validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0613?
About the Fix from Resolved Security
The patch fixes a protocol parsing regex by adding the case-insensitive flag (i), ensuring protocols like "hTTps" are correctly normalized to use "://". This addresses CVE-2022-0613 by preventing crafted URLs with mixed-case protocols and excessive slashes from bypassing URL validation and potentially enabling attacks such as phishing or open redirects.
Available Upgrade Options
- urijs
- <1.19.8 → Upgrade to 1.19.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-0613
- https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083
- https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332
- https://osv.dev/vulnerability/GHSA-gcv8-gh4r-25x6
- https://github.com/medialize/uri.js
What are Similar Vulnerabilities to CVE-2022-0613?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2021-31684 , CVE-2021-32640 , CVE-2021-33514 , CVE-2022-23508
