CVE-2022-0868
Open Redirect vulnerability in urijs (npm)
What is CVE-2022-0868 About?
This vulnerability in `urijs` prior to version 1.19.10 is an open redirect flaw, representing a bypass to a previous fix for CVE-2022-0613. It allows attackers to redirect users to arbitrary websites. The vulnerability is relatively easy to exploit, requiring crafted URLs to trick users.
Affected Software
Technical Details
The vulnerability in urijs (prior to version 1.19.10) is an open redirect, which specifically bypasses the fix intended for CVE-2022-0613. This indicates that despite attempts to secure URL parsing and redirection logic, a new malicious pattern or edge case was found. An attacker can construct a specially crafted URL that, when processed by the vulnerable library and subsequently used for redirection by an application, will direct the user's browser to an arbitrary, attacker-controlled destination. This subverts the application's intended navigation and leads the user to a potentially malicious site without their explicit consent or awareness.
What is the Impact of CVE-2022-0868?
Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing attacks, malware distribution, or other harmful activities.
What is the Exploitability of CVE-2022-0868?
Exploitation of this open redirect vulnerability is of low complexity. It requires no authentication or special privileges. The attack is remote, relying on an attacker providing a specially crafted URL to a victim, who then interacts with an application that uses the vulnerable urijs library. The primary prerequisite is that the application uses the urijs library for processing and redirecting based on user-supplied URL parameters. The risk factors are increased if the application processes any URL parameters without stringent validation before initiating redirects. The bypass nature of this vulnerability suggests that common sanitization methods might be ineffective against it.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0868?
About the Fix from Resolved Security
This patch changes the regex in URI.js to allow and collapse multiple colons in the protocol delimiter to a single "://" form, ensuring inputs like "http:://" and "http::\\" are normalized correctly. This fixes CVE-2022-0868 by preventing crafted URLs with excessive colons from bypassing URL parsing and validation logic, which could otherwise enable security issues like open redirects or SSRF.
Available Upgrade Options
- urijs
- <1.19.10 → Upgrade to 1.19.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8h2f-7jc4-7m3m
- https://nvd.nist.gov/vuln/detail/CVE-2022-0868
- https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509
- https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02
- https://github.com/medialize/URI.js/releases/tag/v1.19.10
- https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02
- https://github.com/medialize/uri.js
- https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509
What are Similar Vulnerabilities to CVE-2022-0868?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-47038 , CVE-2023-37903 , CVE-2023-36662 , CVE-2023-35805
