Open Redirect in digitalbazaar/forge


Reported on

Sep 4th 2021

✍️ Description

parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\/\/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL Redirection to Untrusted Site.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var forge = require("node-forge");
var url = forge.util.parseUrl("https:/\/\/\");

Execute the following commands in another terminal:

npm i node-forge # Install affected module
node poc.js #  Run the PoC

Check the Output:

  full: 'https://',
  scheme: 'https',
  host: '',
  port: 443,
  path: '/',                        <<<---- path  should be "/foo/bar"
  fullHost: ''

In the above example path should be "/foo/bar" or it should return it as null as per

💥 Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.


We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the digitalbazaar/forge team and are waiting to hear back 2 years ago
digitalbazaar/forge maintainer
a year ago


The whole forge.util.parseUrl API and other URL related APIs were removed in v1.0.0.

a year ago


@maintainer Can you please validate this issue by clicking on Mark as valid. And confirm the fix. Thanks.

ready-research modified the report
a year ago
digitalbazaar/forge maintainer validated this vulnerability a year ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
digitalbazaar/forge maintainer marked this as fixed in 1.0.0 with commit db8016 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
util.js#L2270 has been validated
to join this conversation