7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-27516

GHSA ID

GHSA-p6j9-7xhc-rhwp

EPSS Score

0.67029%

CWE

CWE-20

Published

3/1/2021

Updated

12/8/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-27516

CVE-2021-27516: URIjs Hostname spoofing via backslashes in URL

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https:/\expected-example.com/path Escaped string: https:/\\expected-example.com/path (JavaScript strings must escape backslash)

Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.6 is patched against all known payload variants.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass) PR #233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Yaniv Nizry from the CxSCA AppSec team at Checkmarx

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-27516

GHSA ID

GHSA-p6j9-7xhc-rhwp

EPSS Score

0.67029%

CWE

CWE-20

Published

3/1/2021

Updated

12/8/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urijs	npm	< 1.19.6	1.19.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation when handling backslashes in the scheme delimiter. The commit diff shows the fix modified the protocol check to replace backslashes with forward slashes in the substring comparison (string.substring(pos + 1, pos + 3).replace(/\\/g, '/') === '//). This indicates the original implementation in URI.parse() lacked this normalization, making it vulnerable to hostname spoofing via malformed scheme delimiters. The test case added in test/urls.js explicitly validates this scenario, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* usin* *****t** v*rsions to **t*rmin* * URL's *ostn*m*, t** *ostn*m* **n ** spoo*** *y usin* * ***ksl*s* (`\`) ***r**t*r *s p*rt o* t** s***m* **limit*r, *.*. `s***m*:/\*ostn*m*`. I* t** *ostn*m* is us** in s**urity ***isions, t** ***isi

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion w**n **n*lin* ***ksl*s**s in t** s***m* **limit*r. T** *ommit *i** s*ows t** *ix mo*i*i** t** proto*ol ****k to r*pl*** ***ksl*s**s wit* *orw*r* sl*s**s in t** su*strin* *omp*rison (`strin*.su*st

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-27516: URIjs Hostname spoofing via backslashes in URL

Impact

Patches

References

For more information

Reporter credit

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI