CVE-2021-3647

Name of the Vulnerable Software and Affected Versions URI.js versions prior to 1.19.7

Description The issue allows URL redirection to untrusted sites by using a combination of backslash (``) and slash (/) characters as part of the scheme delimiter. This can lead to incorrect security decisions if the hostname is used in such decisions. Impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example, a URL like https:///expected-example.com/path can be used to spoof the hostname.

Recommendations For versions prior to 1.19.7, update to version 1.19.7 or later to patch the issue. As a temporary workaround, consider validating URLs manually to prevent incorrect hostname parsing until the update is applied. Restrict access to sensitive areas that rely on the hostname for security decisions to minimize the risk of exploitation.