CVE-2022-1243
XSS vulnerability in urijs (npm)
What is CVE-2022-1243 About?
This vulnerability is an XSS (Cross-Site Scripting) flaw in the npm package urijs prior to version 1.19.11, where an attacker can inject malicious script into rendered web pages. Attackers can control how a user's browser interacts with a website to steal sensitive data or perform unauthorized actions. It is easily exploitable by manipulating user-input URLs with specific characters.
Affected Software
Technical Details
The vulnerability arises because the npm package urijs, in versions prior to 1.19.11, mishandles specific characters like carriage return (\r), newline (\n), and tab (\t) when extracting the protocol from user-input URLs. When such characters are present, the parsing logic can be bypassed, leading to incorrect protocol extraction. For example, an input like "ja\r\nvascript:alert(1)" might not be correctly identified as a javascript: protocol by the sanitization logic, allowing a malicious javascript: link to pass through. If this parsed (and incorrectly sanitized) URL is then used in a context like an iframe src attribute in an HTML page, it directly leads to an XSS payload execution in the victim's browser.
What is the Impact of CVE-2022-1243?
Successful exploitation may allow attackers to inject arbitrary client-side scripts, hijack user sessions, deface web pages, or redirect users to malicious sites, compromising user privacy and data integrity.
What is the Exploitability of CVE-2022-1243?
Exploitation of this vulnerability is relatively easy, requiring only a crafted input string containing specific control characters. Prerequisites include a system using the vulnerable urijs package and an application that incorporates user-provided URLs in a context like an HTML attribute without proper sanitization after parsing. No authentication is strictly required if the input field is public-facing. Privilege requirements are low, as the attack targets the client-side execution. It is a remote access vulnerability, as the attacker delivers the payload via the application. The primary risk factor increasing exploitation likelihood is the reliance on the vulnerable urijs package for URL parsing and a lack of robust input validation and output encoding at the application level.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1243?
About the Fix from Resolved Security
The patch removes ASCII tab, line feed, and carriage return characters from input URLs, preventing them from being used to obfuscate malicious protocols like javascript: in CVE-2022-1243. This mitigates the vulnerability by ensuring that script-based URLs disguised with embedded control characters cannot bypass security filters.
Available Upgrade Options
- urijs
- <1.19.11 → Upgrade to 1.19.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-1243
- https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7
- https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae
- https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7
- https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae
- https://github.com/medialize/uri.js
- https://osv.dev/vulnerability/GHSA-3vjf-82ff-p4r3
What are Similar Vulnerabilities to CVE-2022-1243?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-28156 , CVE-2023-28157 , CVE-2023-28158 , CVE-2023-28159
