PT-2022-17562 · Url-Js · Url-Js

Pocas

Published

2022-03-11

Updated

2022-03-22

CVE-2022-25839

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions url-js versions prior to 2.1.0

Description The issue arises from improper input validation due to incorrect parsing. This allows the hostname to be spoofed, as seen in the comparison between http://localhost and http://localhost, which are considered the same URL. However, the hostname is not parsed correctly as localhost, and the backslash is reflected as is.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider validating URLs manually to prevent hostname spoofing. Restrict the use of backslashes in URLs to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2022-25839

GHSA-RF54-44JR-Q5VF

SNYK-JS-URLJS-2414030

Affected Products

Url-Js

PT-2022-17562 · Url-Js · Url-Js

CVE-2022-25839

Weakness Enumeration

Related Identifiers

Affected Products

References · 8