CVE-2022-0512: Authorization bypass in url-parse
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.0534%
CWE
Published
2/15/2022
Updated
2/23/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
url-parse | npm | < 1.5.6 | 1.5.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper parsing of userinfo containing '@' and ':' characters. The pre-patch code in index.js
used split(':')
to separate username/password and did not properly handle encoded characters, allowing attackers to craft malicious auth strings that bypass authorization checks. The commit diff shows critical fixes: 1) Using lastIndexOf('@')
instead of indexOf('@')
to prevent ambiguous parsing, and 2) Adding URI component encoding/decoding when handling auth components. These changes directly address the authorization bypass by ensuring proper handling of special characters in user-controlled auth data.