CVE-2022-24723
Parsing Issue vulnerability in urijs (npm)
What is CVE-2022-24723 About?
This vulnerability is a parsing issue where leading whitespace in URLs is not properly handled by `URI.js`, causing protocol validation mechanisms to fail. Its impact can lead to security bypasses or misinterpretation of URLs, potentially enabling malicious link handling. Exploitation would likely be straightforward, requiring specially crafted URLs with leading whitespace.
Affected Software
Technical Details
The vulnerability arises because the URI.parse() function in URI.js fails to remove whitespace characters from the beginning of a URL's protocol part. This lax parsing allows for malformed URLs, such as javascript:alert('XSS') (note the leading space), to bypass intended protocol validation mechanisms. When such a URL is processed by applications relying on URI.js for security checks, the leading whitespace can cause the protocol part to be misinterpreted or ignored, leading to the execution of unintended code or access to restricted resources. Attackers would craft URLs with leading whitespace to obscure or misrepresent the actual protocol, tricking the application into processing a seemingly benign but actually malicious URI.
What is the Impact of CVE-2022-24723?
Successful exploitation may allow attackers to bypass security checks, leading to unintended behavior, or potentially enable cross-site scripting (XSS) or other injection attacks due to improper URL interpretation.
What is the Exploitability of CVE-2022-24723?
Exploitation of this vulnerability is considered low to medium complexity, as it primarily involves crafting a URL with leading whitespace characters. No authentication or specific privileges are required for a perpetrator to craft and deliver the malicious URL. The attack is remote, as it relies on enticing a user or an automated system to process a malformed URI. The primary condition for exploitation is that the target application uses URI.js for URL parsing and does not apply its own sanitization for leading whitespace characters before passing input to URI.parse. The likelihood of exploitation increases in applications that handle user-supplied URLs without stringent input validation, especially when performing security-sensitive operations based on the parsed protocol.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24723?
About the Fix from Resolved Security
The patch removes leading whitespace, including various Unicode spaces, from input URLs before processing. This addresses CVE-2022-24723 by ensuring that malicious URLs with leading whitespace cannot bypass security checks or be misinterpreted by the URI parser, eliminating an opportunity for attackers to craft deceptive or harmful links.
Available Upgrade Options
- urijs
- <1.19.9 → Upgrade to 1.19.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/
- https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
- https://github.com/medialize/URI.js/releases/tag/v1.19.9
- https://osv.dev/vulnerability/GHSA-gmv4-r438-p67f
- https://github.com/medialize/URI.js
- https://github.com/medialize/URI.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
- https://nvd.nist.gov/vuln/detail/CVE-2022-24723
- https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5
- https://github.com/medialize/URI.js/releases/tag/v1.19.9
- https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
What are Similar Vulnerabilities to CVE-2022-24723?
Similar Vulnerabilities: CVE-2019-11358 , CVE-2018-3720 , CVE-2020-7798 , CVE-2021-3807 , CVE-2021-23382
