CVE-2020-26291

Name of the Vulnerable Software and Affected Versions URI.js versions prior to 1.19.4

Description The hostname can be spoofed by using a backslash (``) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example, the URL https://expected-example.com@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Recommendations For versions prior to 1.19.4, update to version 1.19.4 to resolve the issue. As a temporary workaround, consider avoiding the use of backslash (``) characters followed by an at (@) character in URLs until a patch is applied. Restrict access to sensitive resources based on hostname to minimize the risk of exploitation. Avoid using the hostname in security decisions if it is not properly validated.