Miggo Logo
Miggo Vulnerability Database
CVE-2022-0686

CVE-2022-0686:
Authorization Bypass Through User-Controlled Key in url-parse

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0686
GHSA ID
GHSA-hgjh-723h-mx2j
EPSS Score
0.34034%
CWE
CWE-639
Published
2/21/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
url-parsenpm< 1.5.81.5.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key changes in the patch: 1) The port regex modification from \d+ to \d* shows empty ports weren't properly detected, allowing URLs like 'http://example.com:' to be parsed with incorrect host values. 2) The toString() function's host handling changes demonstrate it was stripping trailing colons needed for proper host identification. These combined allowed user-controlled keys to bypass authorization checks through crafted URLs with empty ports.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

url-p*rs* prior to v*rsion *.*.* is vuln*r**l* to *ut*oriz*tion *yp*ss T*rou** Us*r-*ontroll** K*y.

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***n**s in t** p*t**: *) T** port r***x mo*i*i**tion *rom \*+ to \** s*ows *mpty ports w*r*n't prop*rly **t**t**, *llowin* URLs lik* '*ttp://*x*mpl*.*om:' to ** p*rs** wit* in*orr**t *ost v*lu*s. *) T** toStrin*()