Vulnerability	Vulnerable Version
M Improper Input Validation parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack. const parseUrl = require("parse-url"); const Url = require("url"); const express = require('express'); const app = express(); var url = "https://www.google.com:x@fakesite.com:x"; parsed = parseUrl(url); console.log("[]`parse-url` output: ") console.log(parsed); parsed2 = Url.parse(url); console.log("[]`url` output: ") console.log(parsed2) app.get('/', (req, res) => { if (parsed.host == "www.google.com") { res.send("<a href=\'" + parsed2.href + "\'>CLICK ME!</a>") } }) app.listen(8888,"0.0.0.0"); How to fix Improper Input Validation? Upgrade `parse-url` to version 8.1.0 or higher.	<8.1.0
M Server-side Request Forgery (SSRF) parse-url is an An advanced url parser supporting git urls too. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification. How to fix Server-side Request Forgery (SSRF)? Upgrade `parse-url` to version 8.1.0 or higher.	<8.1.0

Improper Input Validation

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack.


const parseUrl = require("parse-url");
const Url = require("url");

const express = require('express');
const app = express();

var url = "https://www.google.com:x@fakesite.com:x";
parsed = parseUrl(url);
console.log("[*]`parse-url` output: ")
console.log(parsed);

parsed2 = Url.parse(url);
console.log("[*]`url` output: ")
console.log(parsed2)

app.get('/', (req, res) => {
    if (parsed.host == "www.google.com") {
        res.send("<a href=\'" + parsed2.href + "\'>CLICK ME!</a>")
    }
})

app.listen(8888,"0.0.0.0");

How to fix Improper Input Validation?

Upgrade parse-url to version 8.1.0 or higher.

<8.1.0

Server-side Request Forgery (SSRF)

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification.

How to fix Server-side Request Forgery (SSRF)?

Upgrade parse-url to version 8.1.0 or higher.

<8.1.0

Go back to all versions of this package