CVE-2020-8910: Improper Input Validation in Google Closure Library
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.22584%
CWE
Published
5/7/2021
Updated
1/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
google-closure-library | npm | <= 20200224.0.0 | 20200315.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the splitRe_ regex in utils.js, which was updated in the fix to properly handle authority-terminating characters and backslashes. The commit diff shows changes to this regex and added tests for URLs like 'https://malicious.com@test.google.com', where getDomain and getPath previously returned incorrect values. Functions like getDomain and getPath directly depend on splitRe_ for parsing, making them vulnerable. The high confidence comes from the direct correlation between the regex fix, the test cases, and the CVE description.