parse-url 4.0.0 vulnerabilities

Known vulnerabilities in the parse-url package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Improper Input Validation parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack. const parseUrl = require("parse-url"); const Url = require("url"); const express = require('express'); const app = express(); var url = "https://www.google.com:x@fakesite.com:x"; parsed = parseUrl(url); console.log("[]`parse-url` output: ") console.log(parsed); parsed2 = Url.parse(url); console.log("[]`url` output: ") console.log(parsed2) app.get('/', (req, res) => { if (parsed.host == "www.google.com") { res.send("<a href=\'" + parsed2.href + "\'>CLICK ME!</a>") } }) app.listen(8888,"0.0.0.0"); How to fix Improper Input Validation? Upgrade `parse-url` to version 8.1.0 or higher.	<8.1.0
M Server-side Request Forgery (SSRF) parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification. How to fix Server-side Request Forgery (SSRF)? Upgrade `parse-url` to version 8.1.0 or higher.	<8.1.0
M Cross-site Scripting (XSS) parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special ASCII characters that start with `\r\r` or `\r`. This vulnerability exists due to an incomplete fix for CVE-2022-2217. How to fix Cross-site Scripting (XSS)? Upgrade `parse-url` to version 6.0.1 or higher.	<6.0.1
C Server-side Request Forgery (SSRF) parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the `parseUrl` function, due to mishandling hostnames when processing usernames and passwords. How to fix Server-side Request Forgery (SSRF)? Upgrade `parse-url` to version 6.0.1 or higher.	<6.0.1
M Cross-site Scripting (XSS) parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special characters for ASCII that start with `\x` and also for all Unicodes start with `\u`. How to fix Cross-site Scripting (XSS)? Upgrade `parse-url` to version 6.0.1 or higher.	<6.0.1
M Information Exposure parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Information Exposure due to improper validation. How to fix Information Exposure? Upgrade `parse-url` to version 6.0.1 or higher.	<6.0.1

Vulnerability

Vulnerable Version

Improper Input Validation

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack.


const parseUrl = require("parse-url");
const Url = require("url");

const express = require('express');
const app = express();

var url = "https://www.google.com:x@fakesite.com:x";
parsed = parseUrl(url);
console.log("[*]`parse-url` output: ")
console.log(parsed);

parsed2 = Url.parse(url);
console.log("[*]`url` output: ")
console.log(parsed2)

app.get('/', (req, res) => {
    if (parsed.host == "www.google.com") {
        res.send("<a href=\'" + parsed2.href + "\'>CLICK ME!</a>")
    }
})

app.listen(8888,"0.0.0.0");

How to fix Improper Input Validation?

Upgrade parse-url to version 8.1.0 or higher.

<8.1.0

Server-side Request Forgery (SSRF)

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification.

How to fix Server-side Request Forgery (SSRF)?

Upgrade parse-url to version 8.1.0 or higher.

<8.1.0

Cross-site Scripting (XSS)

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special ASCII characters that start with \r\r or \r. This vulnerability exists due to an incomplete fix for CVE-2022-2217.

How to fix Cross-site Scripting (XSS)?

Upgrade parse-url to version 6.0.1 or higher.

<6.0.1

Server-side Request Forgery (SSRF)

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the parseUrl function, due to mishandling hostnames when processing usernames and passwords.

How to fix Server-side Request Forgery (SSRF)?

Upgrade parse-url to version 6.0.1 or higher.

<6.0.1

Cross-site Scripting (XSS)

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special characters for ASCII that start with \x and also for all Unicodes start with \u.

How to fix Cross-site Scripting (XSS)?

Upgrade parse-url to version 6.0.1 or higher.

<6.0.1

Information Exposure

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Information Exposure due to improper validation.

How to fix Information Exposure?

Upgrade parse-url to version 6.0.1 or higher.

<6.0.1

parse-url@4.0.0 vulnerabilities

An advanced url parser supporting git urls too.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?