Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zdmpmLTgyZmYtcDRyM804xw
Incorrect protocol extraction via \r, \n and \t characters
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000
input = "ja\r\nvascript:alert(1)"
url = parse(input)
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zdmpmLTgyZmYtcDRyM804xw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-3vjf-82ff-p4r3, CVE-2022-1243
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1243
- https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae
- https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7
- https://github.com/advisories/GHSA-3vjf-82ff-p4r3
Blast Radius: 38.0
Affected Packages
npm:urijs
Dependent packages: 1,163Dependent repositories: 187,610
Downloads: 8,519,365 last month
Affected Version Ranges: < 1.19.11
Fixed in: 1.19.11
All affected versions: 1.16.1, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.18.10, 1.18.11, 1.18.12, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10
All unaffected versions: 1.19.11