9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2900

GHSA ID

GHSA-j9fq-vwqv-2fm2

EPSS Score

0.69669%

CWE

CWE-918

Published

9/15/2022

Updated

6/21/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2900

CVE-2022-2900: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2900

CVE-2022-2900:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2900

GHSA ID

GHSA-j9fq-vwqv-2fm2

EPSS Score

0.69669%

CWE

CWE-918

Published

9/15/2022

Updated

6/21/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-url	npm	< 8.1.0	8.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability exists in the parseUrl function's handling of URLs. Before the patch:

No input length validation allowed excessively long URLs that could bypass checks
The 'file' protocol check and subsequent Git SSH regex matching created a path for internal resource access
Lack of proper error handling for failed parses (now indicated by parsed.parse_failed) let invalid URLs proceed
Missing throw mechanism for non-Git URLs in the 'file' protocol path enabled SSRF

The patch added length checks, parse_failed tracking, and strict error throwing - all indicators these were the missing security controls in the original function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2900: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

CVE-2022-2900:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

CVE-2022-2900: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

9.1

9.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI