Improper Input Validation The advisory has been revoked - it doesn't affect any version of package nodejs  (opens in a new tab)


Threat Intelligence

EPSS
4.05% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UBUNTU1604-NODEJS-312677
  • published2 Dec 2018
  • disclosed28 Nov 2018

Introduced: 28 Nov 2018

CVE-2018-12123  (opens in a new tab)
CWE-20  (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:16.04.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Ubuntu.

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.