Miggo Logo
Miggo Vulnerability Database
CVE-2022-2900

CVE-2022-2900: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2900
GHSA ID
GHSA-j9fq-vwqv-2fm2
EPSS Score
0.69669%
CWE
CWE-918
Published
9/15/2022
Updated
6/21/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-urlnpm< 8.1.08.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability exists in the parseUrl function's handling of URLs. Before the patch:

  1. No input length validation allowed excessively long URLs that could bypass checks
  2. The 'file' protocol check and subsequent Git SSH regex matching created a path for internal resource access
  3. Lack of proper error handling for failed parses (now indicated by parsed.parse_failed) let invalid URLs proceed
  4. Missing throw mechanism for non-Git URLs in the 'file' protocol path enabled SSRF

The patch added length checks, parse_failed tracking, and strict error throwing - all indicators these were the missing security controls in the original function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*rv*r-Si** R*qu*st *or**ry (SSR*) in *it*u* r*pository ioni***iz*u/p*rs*-url prior to *.*.*.

Reasoning

T** *or* vuln*r**ility *xists in t** p*rs*Url *un*tion's **n*lin* o* URLs. ***or* t** p*t**: *. No input l*n*t* v*li**tion *llow** *x**ssiv*ly lon* URLs t**t *oul* *yp*ss ****ks *. T** '*il*' proto*ol ****k *n* su*s*qu*nt *it SS* r***x m*t**in* *r**t