Miggo Logo
Miggo Vulnerability Database
CVE-2022-2218

CVE-2022-2218:
Cross site scripting in parse-url

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2218
GHSA ID
GHSA-jpp7-7chh-cf67
EPSS Score
0.57221%
CWE
CWE-79
Published
6/28/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-urlnpm< 6.0.16.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how parseUrl handles git-style URLs. The commit adds special handling for 'file' protocol URLs with a regex that extracts pathname components. Before the patch, this pathname value (derived directly from user input) wasn't properly sanitized when returned in parsed URL components. If applications using this library rendered these parsed values without HTML escaping (e.g., displaying resource/pathname in UI), stored XSS could occur. The patch introduces protocol normalization but shows evidence of pathname manipulation that was previously vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository ioni***iz*u/p*rs*-url prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom *ow `p*rs*Url` **n*l*s *it-styl* URLs. T** *ommit ***s sp**i*l **n*lin* *or '*il*' proto*ol URLs wit* * r***x t**t *xtr**ts p*t*n*m* *ompon*nts. ***or* t** p*t**, t*is p*t*n*m* v*lu* (**riv** *ir**tly *rom us*r input) w*s