CVE-2022-2216
Server-Side Request Forgery (SSRF) vulnerability in parse-url (npm)
What is CVE-2022-2216 About?
This vulnerability is a Server-Side Request Forgery (SSRF) flaw in the `ionicabizau/parse-url` library prior to version 7.0.0. It allows an attacker to induce the server-side application to make arbitrary network requests. The impact can be severe, including port scanning and access to internal services. Exploitation can be relatively easy if user-controlled input is passed directly to the vulnerable function.
Affected Software
Technical Details
The SSRF vulnerability in ionicabizau/parse-url occurs because the library, when processing a URL provided by an attacker, does not adequately restrict or validate the schemes, hostnames, or ports allowed in the parsed URL. This can cause the server-side application that uses this library to initiate requests to internal network resources or arbitrary external hosts that the attacker specifies. For instance, if user input directly or indirectly feeds into the parse-url function, an attacker could supply a URL like http://localhost:8080/admin or file:///etc/passwd, leading to the server making requests to internal systems or local files and potentially returning their content. The flaw lies in the insufficient parsing and sanitation of URL components, allowing for the construction of URLs that direct server requests beyond the intended scope.
What is the Impact of CVE-2022-2216?
Successful exploitation may allow attackers to force the server-side application to make arbitrary network requests, potentially leading to information disclosure, access to internal services, port scanning of internal networks, or bypassing firewall rules.
What is the Exploitability of CVE-2022-2216?
Exploitation complexity is generally moderate, depending on the application's sanitization of user input before it reaches the vulnerable parse-url function. Authentication requirements vary based on the application; if unauthenticated access allows for URL input, the vulnerability can be exploited without credentials. Privilege requirements are low, as typical user privileges are sufficient to submit URLs. Exploitation is remote, as it involves sending crafted URLs from an attacker to the server. Special conditions include the application's reliance on ionicabizau/parse-url and a failure to properly validate or sanitize URL input. Risk factors increasing exploitation likelihood include public-facing applications that process URLs from untrusted sources, such as image tải loaders, webhook configurators, or URL preview services.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2216?
Available Upgrade Options
- parse-url
- <6.0.1 → Upgrade to 6.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-2216
- https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
- https://osv.dev/vulnerability/GHSA-7f3x-x4pr-wqhj
- https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
What are Similar Vulnerabilities to CVE-2022-2216?
Similar Vulnerabilities: CVE-2021-39226 , CVE-2021-43297 , CVE-2021-44228 , CVE-2020-13692 , CVE-2020-9488
