7.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1243

GHSA ID

GHSA-3vjf-82ff-p4r3

EPSS Score

0.54305%

CWE

CWE-20

Published

4/6/2022

Updated

11/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1243

CVE-2022-1243: Incorrect protocol extraction via \r, \n and \t characters

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
})

(GitHub Advisory)

7.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1243

GHSA ID

GHSA-3vjf-82ff-p4r3

EPSS Score

0.54305%

CWE

CWE-20

Published

4/6/2022

Updated

11/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urijs	npm	< 1.19.11	1.19.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from URI.parse()'s handling of URL parsing. The commit fix shows:

Addition of a regex pattern (ascii_tab_whitespace) to detect control characters
Modification of the parsing logic to strip these characters from input strings
Test cases added for URLs containing CR/LF/TAB in protocols This demonstrates the vulnerable function was URI.parse() as it previously didn't sanitize these characters, allowing protocol confusion. The direct correlation between the vulnerability description and the patched code changes confirms this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

\r, \n *n* \t ***r**t*rs in us*r-input URLs **n pot*nti*lly l*** to in*orr**t proto*ol *xtr**tion w**n usin* npm p**k*** urijs prior to v*rsion *.**.**. T*is **n l*** to XSS w**n t** mo*ul* is us** to pr*v*nt p*ssin* in m*li*ious j*v*s*ript: links i

Reasoning

T** vuln*r**ility st*ms *rom URI.p*rs*()'s **n*lin* o* URL p*rsin*. T** *ommit *ix s*ows: *. ***ition o* * r***x p*tt*rn (*s*ii_t**_w*it*sp***) to **t**t *ontrol ***r**t*rs *. Mo*i*i**tion o* t** p*rsin* lo*i* to strip t**s* ***r**t*rs *rom input st

7.2

Basic Information

Concerned about an active attack path?

CVE-2022-1243: Incorrect protocol extraction via \r, \n and \t characters

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI