Miggo Logo

CVE-2022-0512: Authorization bypass in url-parse

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.0534%
Published
2/15/2022
Updated
2/23/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
url-parsenpm< 1.5.61.5.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper parsing of userinfo containing '@' and ':' characters. The pre-patch code in index.js used split(':') to separate username/password and did not properly handle encoded characters, allowing attackers to craft malicious auth strings that bypass authorization checks. The commit diff shows critical fixes: 1) Using lastIndexOf('@') instead of indexOf('@') to prevent ambiguous parsing, and 2) Adding URI component encoding/decoding when handling auth components. These changes directly address the authorization bypass by ensuring proper handling of special characters in user-controlled auth data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut*oriz*tion *yp*ss T*rou** Us*r-*ontroll** K*y in NPM url-p*rs* prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*rsin* o* us*rin*o *ont*inin* '@' *n* ':' ***r**t*rs. T** pr*-p*t** *o** in `in**x.js` us** `split(':')` to s*p*r*t* us*rn*m*/p*sswor* *n* *i* not prop*rly **n*l* *n*o*** ***r**t*rs, *llowin* *tt**k*rs to *r**t