CVE-2022-0691

Name of the Vulnerable Software and Affected Versions url-parse versions prior to 1.5.9

Description The issue arises from leading control characters in a URL not being stripped when passed into url-parse, potentially causing input URLs to be mistakenly interpreted as relative URLs without a hostname and protocol. This discrepancy can lead to incorrect security decisions when comparing the parsed URL with the WHATWG URL parser, which trims control characters and treats the URL as absolute. Furthermore, this can lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs.

Recommendations For versions prior to 1.5.9, update to version 1.5.9 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing input URLs to prevent leading control characters from being passed into url-parse. Restrict the use of url-parse in security decisions involving the hostname or protocol until the update is applied. Avoid using url-parse to check for the javascript: protocol in URLs without additional validation until the issue is resolved.