Miggo Logo

CVE-2022-0639: url-parse Incorrectly parses URLs that include an '@'

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.04754%
Published
2/18/2022
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
url-parsenpm< 1.5.71.5.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how url-parse's toString() function constructs the href property. The GitHub patch adds logic to preserve '@' in URLs with empty auth when specific conditions are met (non-file protocol, special protocol, empty host, and non-root pathname). The pre-patch version omitted the '@' in these cases, leading to href values like 'http:///127.0.0.1' instead of 'http://@/127.0.0.1'. This discrepancy allowed attackers to bypass security checks using hostname/origin (which would be empty) while requests would target the pathname-as-host via the malformed href.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* sp**i*lly *r**t** URL wit* *n '@' si*n *ut *mpty us*r in*o *n* no *ostn*m*, w**n p*rs** wit* url-p*rs*, url-p*rs* will r*turn t** in*orr**t *r**. In p*rti*ul*r, ```js p*rs*(\"*ttp://@/***.*.*.*\") ``` Will r*turn: ```y*ml { sl*s**s: tru*, proto*

Reasoning

T** vuln*r**ility st*ms *rom *ow url-p*rs*'s toStrin*() *un*tion *onstru*ts t** *r** prop*rty. T** *it*u* p*t** ***s lo*i* to pr*s*rv* '@' in URLs wit* *mpty *ut* w**n sp**i*i* *on*itions *r* m*t (non-*il* proto*ol, sp**i*l proto*ol, *mpty *ost, *n*