CVE-2021-27516

Name of the Vulnerable Software and Affected Versions URI.js versions prior to 1.19.6

Description The issue concerns the mishandling of backslash characters in certain URI schemes, such as http:/, which can lead to incorrect interpretation of the URI as a relative path. This can result in hostname spoofing when using affected versions to determine a URL's hostname. Impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior, depending on library usage and attacker intent. For example, a URL like https:/expected-example.com/path can be used to bypass security decisions.

Recommendations For versions prior to 1.19.6, update to version 1.19.6 or later to resolve the issue. As a temporary workaround, consider validating URLs to prevent the use of backslash characters in scheme delimiters. Restrict access to URLs that may be interpreted as relative paths to minimize the risk of exploitation. Avoid using the backslash character in URI schemes until the issue is resolved.