CVE-2022-0624
Authorization Bypass vulnerability in parse-path (npm)
What is CVE-2022-0624 About?
This vulnerability is an Authorization Bypass Through User-Controlled Key in the 'ionicabizau/parse-path' GitHub repository. It allows an attacker to bypass authorization mechanisms by manipulating keys. Exploitation is likely of moderate complexity, relying on how the application uses the affected library.
Affected Software
Technical Details
The 'ionicabizau/parse-path' library, specifically prior to version 5.0.0, suffers from an Authorization Bypass Through User-Controlled Key. This implies that critical authorization decisions are being made or influenced by a key (identifier, parameter, or similar) that can be directly controlled or manipulated by a user. An attacker can craft a request or input that modifies this key, thereby circumventing intended authorization checks and gaining unauthorized access to resources or functionalities. The exact mechanism would depend on how parse-path processes and interprets user-supplied input that later forms or influences keys used in authorization contexts.
What is the Impact of CVE-2022-0624?
Successful exploitation may allow attackers to bypass intended authorization mechanisms, gaining unauthorized access to restricted resources or functionalities.
What is the Exploitability of CVE-2022-0624?
Exploitation complexity for this vulnerability is likely moderate. It would require understanding how the 'parse-path' library is utilized within a specific application's authorization flow and identifying where a user-controlled key can be injected or manipulated. Authentication to the application may be required to reach the vulnerable code path, but privilege requirements would depend on what authorization is being bypassed. The vulnerability could be exploited both locally and remotely, depending on the application's configuration and exposure. Special conditions would involve the application using the 'parse-path' library in a way that allows user input to directly influence keys used for authorization decisions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0624?
About the Fix from Resolved Security
This patch refactors URL parsing to use Node.js's built-in URL API, which eliminates custom parsing logic prone to errors. By doing so, it fixes CVE-2022-0624 because the original manual parser mishandled special characters and edge cases, potentially allowing crafted inputs to bypass parsing restrictions or cause security issues such as injection vulnerabilities. The patch ensures robust and consistent parsing, preventing attacks that exploit improper input handling.
Available Upgrade Options
- parse-path
- <5.0.0 → Upgrade to 5.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42840e8
- https://huntr.dev/bounties/afffb2bd-fb06-4144-829e-ecbbcbc85388
- https://nvd.nist.gov/vuln/detail/CVE-2022-0624
- https://github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42840e8
- https://osv.dev/vulnerability/GHSA-3j8f-xvm3-ffx4
- https://huntr.dev/bounties/afffb2bd-fb06-4144-829e-ecbbcbc85388
- https://github.com/ionicabizau/parse-path
What are Similar Vulnerabilities to CVE-2022-0624?
Similar Vulnerabilities: CVE-2020-7792 , CVE-2021-44228 , CVE-2019-11252 , CVE-2021-31620 , CVE-2022-28108
