CVE-2022-2218
Cross-site Scripting (XSS) vulnerability in parse-url (npm)
What is CVE-2022-2218 About?
The `ionicabizau/parse-url` GitHub repository (all versions prior to 7.0.0) is vulnerable to a Stored Cross-site Scripting (XSS) attack. This allows an attacker to inject malicious scripts into saved data, which will execute when viewed by other users. Exploitation is relatively easy if user-supplied input is not properly sanitized before being processed by the package.
Affected Software
Technical Details
The ionicabizau/parse-url package, prior to version 7.0.0, is susceptible to Stored Cross-site Scripting (XSS). This occurs when the package processes and stores URLs or related data provided by an attacker without adequate sanitization. An attacker can craft a malicious input string containing JavaScript code embedded within URL components (e.g., in a path, query parameter, or fragment that is later reflected without encoding). When this malicious data is retrieved and rendered by a web application using the vulnerable package, the injected script executes in the victim's browser context. The 'stored' nature implies persistence, meaning the malicious payload remains within the application's data layer until it is accessed.
What is the Impact of CVE-2022-2218?
Successful exploitation may allow attackers to inject arbitrary web scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2022-2218?
Exploitation of this Stored XSS vulnerability is of low complexity. The primary prerequisite is an application that uses the ionicabizau/parse-url package (prior to 7.0.0) and allows untrusted user input that can be stored and later displayed. Authentication might be required to submit the malicious input if the storage mechanism is protected. The attack is remote: an attacker injects the payload, which is then stored and served to other users. The key condition is the lack of proper input validation and output encoding by the application when handling data processed by the vulnerable parse-url package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2218?
Available Upgrade Options
- parse-url
- <6.0.1 → Upgrade to 6.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-2218
- https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5
- https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
- https://github.com/ionicabizau/parse-url
- https://osv.dev/vulnerability/GHSA-jpp7-7chh-cf67
- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
What are Similar Vulnerabilities to CVE-2022-2218?
Similar Vulnerabilities: CVE-2022-23647 , CVE-2022-24891 , CVE-2021-41183 , CVE-2021-41193 , CVE-2021-32640
