CVE-2022-1233
URL parsing vulnerability in urijs (npm)
What is CVE-2022-1233 About?
Medialize's URI.js library incorrectly parses URLs without a scheme but with excessive slashes, leading to a null hostname and incorrect path, differing from browser behavior. This vulnerability can lead to security misdecisions if an application relies on these parsed components. Exploitation is dependent on the application's specific use of the parsed URL components.
Affected Software
Technical Details
The vulnerability in Medialize's URI.js library (prior to version 1.19.11) concerns its URL parsing logic. Specifically, when presented with a URL that lacks a scheme but contains an excessive number of leading slashes (e.g., ///www.example.com), URI.js parses it differently from how browsers would. Instead of resolving to http://www.example.com, URI.js incorrectly identifies the hostname as null and the path as /www.example.com. This discrepancy creates a security risk: if an application uses the hostname or origin attributes from URI.js for security decisions (e.g., whitelist checks), but then uses the full parsed URL (or the original input) for making a request, these security checks can be bypassed, as the requested host would be different from the one evaluated for security.
What is the Impact of CVE-2022-1233?
Successful exploitation may allow attackers to bypass hostname or origin-based security checks, potentially leading to unauthorized access, open redirects, or server-side request forgery (SSRF).
What is the Exploitability of CVE-2022-1233?
Exploitation requires an attacker to supply a specially crafted URL to an application that uses a vulnerable version of URI.js. The complexity is moderate, as it relies on the application making security decisions based on the incorrectly parsed hostname or origin, while subsequent actions (like making requests) use the actual, misidentified target. No specific authentication or privilege is required for the initial input of the URL. This is a remote vulnerability. Special conditions include the application's reliance on specific parsed URL components for security and the use of the full URL for subsequent actions. Risk factors increase if applications dynamically generate redirects or interact with external resources based on user-supplied URLs without robust validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1233?
About the Fix from Resolved Security
This patch normalizes excessive leading slashes and backslashes in scheme-relative URLs, ensuring any sequence like //\ or similar is converted to a standard //. This mitigates CVE-2022-1233 by preventing crafted URLs with abnormal slash patterns from bypassing URL parsing logic, which could otherwise enable various security issues such as open redirects or misrouting.
Available Upgrade Options
- urijs
- <1.19.11 → Upgrade to 1.19.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277
- https://osv.dev/vulnerability/GHSA-g694-m8vq-gv9h
- https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277
- https://nvd.nist.gov/vuln/detail/CVE-2022-1233
- https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c
- https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c
- https://github.com/medialize/uri.js
What are Similar Vulnerabilities to CVE-2022-1233?
Similar Vulnerabilities: CVE-2022-0639 , CVE-2021-3796 , CVE-2021-23424 , CVE-2020-8260 , CVE-2020-8174
