CVE-2022-0639

Name of the Vulnerable Software and Affected Versions url-parse versions prior to 1.5.7

Description The issue allows for authorization bypass through a user-controlled key. A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, will return the incorrect href. This can lead to incorrect security decisions if the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request.

Recommendations For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue. As a temporary workaround, consider validating the 'hostname' and 'origin' attributes of the output from url-parse to ensure they match expected values before using the 'href' attribute to make a request. Restrict the use of the parse() function with untrusted input until the issue is resolved.