CVE-2022-0639
URL Parsing vulnerability in url-parse (npm)
What is CVE-2022-0639 About?
The url-parse library incorrectly parses specially crafted URLs, specifically those with an '@' sign but empty user info and no hostname, leading to an incorrect 'href' attribute. This can result in security misdecisions if the parsed components are used for security checks while the 'href' is used for requests. Exploitation is dependent on an application relying on specific parsed URL attributes for security.
Affected Software
Technical Details
The vulnerability in the url-parse library involves a parsing inconsistency for specially crafted URLs. When a URL contains an '@' sign but has empty user information and no hostname (e.g., "http://@/127.0.0.1"), the library incorrectly parses its components. Specifically, it may return an empty string for host and hostname, and 'null' for origin, while href might resolve to 'http:///127.0.0.1'. This creates a discrepancy: security decisions made based on the incorrect hostname or origin attributes would be flawed, while subsequent requests made using the misleading href attribute could bypass those checks. The attack vector involves supplying such a malformed URL to an application that uses url-parse for security-sensitive operations.
What is the Impact of CVE-2022-0639?
Successful exploitation may allow attackers to bypass security checks that rely on parsed URL components, potentially leading to unauthorized access, open redirects, or other security policy violations.
What is the Exploitability of CVE-2022-0639?
Exploitation complexity is moderate, requiring the attacker to provide a specially crafted URL to an application that uses url-parse. The prerequisites are that the application must use url-parse for security decisions based on hostname or origin, and then use the href attribute for actual requests. No specific authentication or privilege is required to submit the malicious URL. This is typically a remote vulnerability, as the URL input would likely come over the network. Special conditions include the application's logic relying on the vulnerable parsing behavior for security decisions. Risk factors increase if input URLs are not rigorously validated before being parsed and used in security contexts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0639?
About the Fix from Resolved Security
This patch ensures that when parsing certain URLs with empty authentication and host fields, an '@' is added to the resulting string to accurately preserve the original invalid structure, preventing the pathname from being misinterpreted as the host. This fixes the vulnerability CVE-2022-0639 by stopping crafted URLs from being transformed into valid-but-incorrect forms, which could otherwise be abused for SSRF or other attacks relying on host ambiguity.
Available Upgrade Options
- url-parse
- <1.5.7 → Upgrade to 1.5.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://osv.dev/vulnerability/GHSA-8v38-pw62-9cw2
- https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788
- https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155
- https://nvd.nist.gov/vuln/detail/CVE-2022-0639
- https://github.com/unshiftio/url-parse
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788
- https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155
What are Similar Vulnerabilities to CVE-2022-0639?
Similar Vulnerabilities: CVE-2022-1233 , CVE-2021-3796 , CVE-2021-23424 , CVE-2020-8260 , CVE-2020-8174
