CVE-2022-0691
Incorrect URL Parsing vulnerability in url-parse (npm)
What is CVE-2022-0691 About?
This vulnerability involves incorrect URL parsing in the url-parse package, where leading control characters in a URL are not stripped. This discrepancy can cause security decisions based on `url-parse` to be incorrect, especially when compared to WHATWG URL parser behavior, leading to potential bypasses and Cross-Site Scripting (XSS) issues. Exploitation typically requires control over the input URL and an application that relies on `url-parse` for security checks, making it moderately complex.
Affected Software
Technical Details
The url-parse package fails to strip leading control characters from URLs, unlike the WHATWG URL standard. This results in url-parse interpreting a URL with leading control characters (e.g., \bjavascript:alert(1)) as a relative URL or one without a hostname/protocol, while a standards-compliant parser (like in a browser) would trim these characters and recognize it as an absolute URL, potentially with a javascript: protocol. This divergence can lead to security bypasses if url-parse is used to validate URLs before being rendered or processed by a client using a WHATWG-compliant parser. For instance, checks intended to prevent javascript: URIs for XSS might fail, as url-parse would not identify the javascript: protocol due to the leading control characters, allowing malicious scripts to execute.
What is the Impact of CVE-2022-0691?
Successful exploitation may allow attackers to bypass security checks, interpret URLs incorrectly, and potentially achieve Cross-Site Scripting (XSS), leading to unauthorized script execution in a user's browser.
What is the Exploitability of CVE-2022-0691?
Exploitation complexity is moderate, requiring an attacker to be able to provide malformed URLs with leading control characters to an application that uses the url-parse library for security-sensitive URL processing. No specific authentication or privilege requirements are noted. This vulnerability can be exploited remotely if the application processes user-supplied URLs. A special condition is that the application's security decisions (e.g., disallowing javascript: protocols) must rely on url-parse, and the processed URL is subsequently used in a context (like a web browser) that employs a WHATWG-compliant parser. The risk factor increases significantly if URL validation is critical for security and the application is exposed to untrusted URL input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0691?
About the Fix from Resolved Security
The patch expands the definition of whitespace to include all ASCII control characters (U+0000 to U+0020) when trimming the left side of input strings, rather than only specific whitespace code points. This prevents attackers from injecting control characters that could bypass input sanitation, fixing the vulnerability CVE-2022-0691 related to improper trimming and potential poisoning or parsing flaws.
Available Upgrade Options
- url-parse
- <1.5.9 → Upgrade to 1.5.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-0691
- https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63
- https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
- https://security.netapp.com/advisory/ntap-20220325-0006/
- https://github.com/unshiftio/url-parse
- https://osv.dev/vulnerability/GHSA-jf5r-8hm2-f872
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://security.netapp.com/advisory/ntap-20220325-0006
What are Similar Vulnerabilities to CVE-2022-0691?
Similar Vulnerabilities: CVE-2020-8208 , CVE-2020-8174 , CVE-2018-16472 , CVE-2021-3918 , CVE-2019-6761
