CVE-2022-2900
Server-Side Request Forgery (SSRF) vulnerability in parse-url (npm)
What is CVE-2022-2900 About?
This vulnerability is a Server-Side Request Forgery (SSRF) in the `ionicabizau/parse-url` library prior to version 8.1.0. Attackers can manipulate input to force the server to make requests to arbitrary locations, potentially exposing internal network resources or sensitive data. Exploitation is relatively straightforward by crafting specific URLs.
Affected Software
Technical Details
The Server-Side Request Forgery (SSRF) vulnerability in ionicabizau/parse-url prior to 8.1.0 exists because the library, when processing URLs, does not adequately validate or sanitize user-supplied input before making requests or interacting with internal resources. An attacker can craft a malicious URL that, when parsed by the vulnerable library on the server, causes the server to initiate a request to an arbitrary internal or external destination. This can involve using schemes like file://, ftp://, or gopher://, or abusing redirects, allowing the attacker to access internal network services, retrieve local files, or scan internal networks that would otherwise be inaccessible from the external internet.
What is the Impact of CVE-2022-2900?
Successful exploitation may allow attackers to force the server to make unauthorized requests to internal or external systems, leading to information disclosure, access to internal services, or further attacks.
What is the Exploitability of CVE-2022-2900?
Exploitation is typically low to medium complexity, requiring an attacker to provide a specially crafted URL as input to an application that uses the vulnerable ionicabizau/parse-url library. No authentication is inherently required to trigger the vulnerability if the application processes unauthenticated URLs. No specific privileges are needed on the target system other than the ability to make requests to the application. This is a remote exploitation vulnerability. The special condition is that the application must be using the ionicabizau/parse-url library in a way that exposes URL parsing to untrusted input. The risk increases if the server has access to a sensitive internal network or contains valuable local files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2900?
About the Fix from Resolved Security
Available Upgrade Options
- parse-url
- <8.1.0 → Upgrade to 8.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ionicabizau/parse-url/commit/b88c81df8f4c5168af454eaa4f92afa9349e4e13
- https://nvd.nist.gov/vuln/detail/CVE-2022-2900
- https://osv.dev/vulnerability/GHSA-j9fq-vwqv-2fm2
- https://github.com/IonicaBizau/parse-url
- https://huntr.dev/bounties/1b4c972a-abc8-41eb-a2e1-696db746b5fd
- https://github.com/ionicabizau/parse-url/commit/b88c81df8f4c5168af454eaa4f92afa9349e4e13
- https://huntr.dev/bounties/1b4c972a-abc8-41eb-a2e1-696db746b5fd
What are Similar Vulnerabilities to CVE-2022-2900?
Similar Vulnerabilities: CVE-2023-28432 , CVE-2023-27043 , CVE-2023-25136 , CVE-2022-41852 , CVE-2022-38605
