CVE-2022-25839

Description

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/*globals URL*/

+ // const _hostname_norm_exp = /^\\/g;
+ const _pathname_norm_exp = /\\+/;
+
const _parse_url_exp = new RegExp([
'^([\\w.+\\-\\*]+:)//' // protocol
, '(([^:/?#]*)(?::([^/?#]*))?@|)' // username:password
- , '(([^:/?#]*)(?::(\\d+))?)' // host == hostname:port
- , '(/[^?#]*|)' // pathname
+ , '\\\\*(([^:/\\\\?#]*)(?::(\\d+))?)' // host == hostname:port
+ , '([/\\\\][^?#]*|)' // pathname
, '(\\?([^#]*)|)' // search & query
, '(#.*|)$' // hash
].join(NIL));
@@ -32,13 +35,25 @@ export default function parseUrl(href, part, parseQuery) {
, i, ret = false
;
if (match) {
+ // if (i = match[map.hostname]) {
+ // match[map.hostname] = i.replace(_hostname_norm_exp, '');
+ // }
+ if (i = match[map.pathname]) {
+ match[map.pathname] = i.replace(_pathname_norm_exp, '/');
+ }
+
if (part && part in map) {
ret = match[map[part]] || NIL;
- if (part == 'pathname') {
- if (!ret) ret = '/';
- }
- if (parseQuery && part == 'query') {
- ret = toObject(ret || NIL);
+ switch (part) {
+ case 'pathname':
+ if (!ret) ret = '/';
+ break;
+
+ case 'query':
+ if (parseQuery) {
+ ret = toObject(ret || NIL);
+ }
+ break;
}
}
else {

This issue was fixed as above


Proof of Concept

1
2
3
4
5
6
7
8
9
10
11
12
13
sh-3.2$ node -e "const URLJS = require('url-js');console.log(URLJS('http://\\\\localhost'))"
URLJS {
protocol: 'http:',
username: '',
password: '',
hostname: '\\localhost',
port: '',
pathname: '/',
search: '',
query: '',
hash: ''
}
sh-3.2$

Reporting Timeline

  • 2022-02-?? ??h ??m : Reported this issue via the snyk
  • 2022-02-28 23h 57m : Patched this issue by duzun
  • 2022-03-07 ??h ??m : Assigned CVE-2022-25839 by snyk

Reference