6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-0639

GHSA ID

GHSA-8v38-pw62-9cw2

EPSS Score

0.04754%

CWE

CWE-639

Published

2/18/2022

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-0639

CVE-2022-0639:
url-parse Incorrectly parses URLs that include an '@'

A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,

parse(\"http://@/127.0.0.1\")

Will return:

{
 slashes: true,
 protocol: 'http:',
 hash: '',
 query: '',
 pathname: '/127.0.0.1',
 auth: '',
 host: '',
 port: '',
 hostname: '',
 password: '',
 username: '',
 origin: 'null',
 href: 'http:///127.0.0.1'
 }

If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-0639

GHSA ID

GHSA-8v38-pw62-9cw2

EPSS Score

0.04754%

CWE

CWE-639

Published

2/18/2022

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
url-parse	npm	< 1.5.7	1.5.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how url-parse's toString() function constructs the href property. The GitHub patch adds logic to preserve '@' in URLs with empty auth when specific conditions are met (non-file protocol, special protocol, empty host, and non-root pathname). The pre-patch version omitted the '@' in these cases, leading to href values like 'http:///127.0.0.1' instead of 'http://@/127.0.0.1'. This discrepancy allowed attackers to bypass security checks using hostname/origin (which would be empty) while requests would target the pathname-as-host via the malformed href.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* sp**i*lly *r**t** URL wit* *n '@' si*n *ut *mpty us*r in*o *n* no *ostn*m*, w**n p*rs** wit* url-p*rs*, url-p*rs* will r*turn t** in*orr**t *r**. In p*rti*ul*r, ```js p*rs*(\"*ttp://@/***.*.*.*\") ``` Will r*turn: ```y*ml { sl*s**s: tru*, proto*

Reasoning

T** vuln*r**ility st*ms *rom *ow url-p*rs*'s toStrin*() *un*tion *onstru*ts t** *r** prop*rty. T** *it*u* p*t** ***s lo*i* to pr*s*rv* '@' in URLs wit* *mpty *ut* w**n sp**i*i* *on*itions *r* m*t (non-*il* proto*ol, sp**i*l proto*ol, *mpty *ost, *n*

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-0639: url-parse Incorrectly parses URLs that include an '@'

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-0639:
url-parse Incorrectly parses URLs that include an '@'

Vulnerability Intelligence
Miggo AI