Miggo Logo
Miggo Vulnerability Database
CVE-2021-3664

CVE-2021-3664: Open redirect in url-parse

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3664
GHSA ID
GHSA-hh27-ffr2-f2jc
EPSS Score
0.55638%
CWE
CWE-601
Published
8/10/2021
Updated
2/23/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
url-parsenpm< 1.5.21.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how extractProtocol processed URLs with non-standard slash patterns after the protocol. The fix introduced the isSpecial helper and modified extractProtocol to explicitly handle special protocols, ignoring excess slashes. Pre-patch versions failed to properly separate the hostname from the path in these cases, enabling open redirects. The commit diff shows critical logic changes in extractProtocol, and the CVE/issue descriptions confirm this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Ov*rvi*w *****t** v*rsions o* npm `url-p*rs*` *r* vuln*r**l* to URL R**ir**tion to Untrust** Sit*. # Imp**t **p*n*in* on li*r*ry us*** *n* *tt**k*r int*nt, imp**ts m*y in*lu** *llow/*lo*k list *yp*ss*s, SSR* *tt**ks, op*n r**ir**ts, or ot**r un*

Reasoning

T** vuln*r**ility st*ms *rom *ow `*xtr**tProto*ol` pro**ss** URLs wit* non-st*n**r* sl*s* p*tt*rns **t*r t** proto*ol. T** *ix intro*u*** t** `isSp**i*l` **lp*r *n* mo*i*i** `*xtr**tProto*ol` to *xpli*itly **n*l* sp**i*l proto*ols, i*norin* *x**ss sl