CVE-2022-2217
Cross-site Scripting (XSS) vulnerability in parse-url (npm)
What is CVE-2022-2217 About?
This vulnerability is a generic Cross-site Scripting (XSS) flaw found in `ionicabizau/parse-url` prior to 6.0.1. It allows attackers to inject malicious scripts into web pages, which are then executed in the context of the user's browser. This is a common and relatively easy-to-exploit vulnerability, often requiring user interaction.
Affected Software
Technical Details
The Cross-site Scripting (XSS) vulnerability in ionicabizau/parse-url (versions prior to 6.0.1) arises from insufficient sanitization or encoding of input that is subsequently rendered in a web page. Specifically, it means that untrusted data handled by parse-url is embedded directly into the HTML without proper escaping. An attacker can inject malicious client-side script (e.g., JavaScript) into a URL that is processed by parse-url. When this malformed URL, or content derived from it, is later displayed to a user in a web browser, the embedded script executes within the context of the user's browser, allowing attackers to steal session cookies, deface websites, or redirect users to malicious sites.
What is the Impact of CVE-2022-2217?
Successful exploitation may allow attackers to execute arbitrary client-side script in the victim's browser, steal session cookies, deface webpages, perform actions on behalf of the user, or redirect users to malicious websites.
What is the Exploitability of CVE-2022-2217?
Exploitation of this XSS vulnerability is typically of moderate complexity, often requiring user interaction (e.g., clicking a malicious link) if it's a reflected XSS, or no interaction if it's stored XSS. No specific authentication or privilege is required for the attacker to inject the script, although the impact might be greater if the victim has higher privileges. The attack is generally remote, delivered through crafted URLs or malicious data inputs. Special conditions involve the application reflecting or storing unsanitized output from parse-url in a web context. Risk factors are high for web applications that fail to properly sanitize or encode all user-supplied input before rendering it in the browser, especially when using vulnerable versions of ionicabizau/parse-url.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2217?
Available Upgrade Options
- parse-url
- <6.0.1 → Upgrade to 6.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b
- https://nvd.nist.gov/vuln/detail/CVE-2022-2217
- https://osv.dev/vulnerability/GHSA-q6wq-5p59-983w
- https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
What are Similar Vulnerabilities to CVE-2022-2217?
Similar Vulnerabilities: CVE-2023-38646 , CVE-2022-31129 , CVE-2021-39144 , CVE-2020-11022 , CVE-2019-11324
