Miggo Logo
Miggo Vulnerability Database
CVE-2022-2216

CVE-2022-2216:
Server-Side Request Forgery in parse-url

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2216
GHSA ID
GHSA-7f3x-x4pr-wqhj
EPSS Score
0.38834%
CWE
CWE-918
Published
6/28/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-urlnpm< 6.0.16.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit 21c72ab introduced a regex (GIT_RE) to detect git-ssh URLs and corrected protocol assignment. Prior to this fix, URLs like 'git@github.com:user/repo.git' were parsed with protocol 'file' instead of 'ssh'. This misclassification could allow SSRF if applications used the parsed protocol/resource to make requests, as attackers could exploit the incorrect parsing to target internal systems. The vulnerability directly stems from the parsing logic in parseUrl, which was updated in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*rv*r-Si** R*qu*st *or**ry (SSR*) in *it*u* r*pository ioni***iz*u/p*rs*-url prior to *.*.*.

Reasoning

T** *ommit ******* intro*u*** * r***x (*IT_R*) to **t**t *it-ss* URLs *n* *orr**t** proto*ol *ssi*nm*nt. Prior to t*is *ix, URLs lik* '*it@*it*u*.*om:us*r/r*po.*it' w*r* p*rs** wit* proto*ol '*il*' inst*** o* 'ss*'. T*is mis*l*ssi*i**tion *oul* *llow