PT-2022-12976 · Unknown · Node-Forge

Published

2022-01-06

Updated

2022-01-21

CVE-2022-0122

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions forge versions prior to 1.0.0

Description The issue concerns a URL redirection vulnerability to untrusted sites. The parseUrl functionality in node-forge mishandles certain uses of backslash, such as https:///, and interprets the URI as a relative path. This could lead to undesired behavior due to improper parsing of certain inputs by the regex used for the forge.util.parseUrl API.

Recommendations For versions prior to 1.0.0, ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input. Consider updating to version 1.0.0 or later, where forge.util.parseUrl and other related URL APIs were removed in favor of the more modern WHATWG URL Standard API.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2022-0122

GHSA-8FR3-HFG3-GPGP

GHSA-GF8Q-JRPM-JVXQ

Affected Products

Node-Forge

PT-2022-12976 · Unknown · Node-Forge

CVE-2022-0122

Weakness Enumeration

Related Identifiers

Affected Products

References · 11