Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3336-1 node-url-parse

Debian Security Advisory

DLA-3336-1 node-url-parse -- LTS security update

Date Reported:

23 Feb 2023

Affected Packages:

node-url-parse

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 985110, Bug 991577.
In Mitre's CVE dictionary: CVE-2021-3664, CVE-2021-27515, CVE-2022-0512, CVE-2022-0639, CVE-2022-0686, CVE-2022-0691.

More information:

Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites.

• CVE-2021-3664

  url-parse mishandles certain uses of a single (back)slash such as https:\ and https:/, and interprets the URI as a relative path. Browsers accept a single backslash after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Depending on library usage, this may result in allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

• CVE-2021-27515

  Using backslash in the protocol is valid in the browser, while url-parse thinks it's a relative path. An application that validates a URL using url-parse might pass a malicious link.

• CVE-2022-0512

  Incorrect handling of username and password can lead to failure to properly identify the hostname, which in turn could result in authorization bypass.

• CVE-2022-0639

  Incorrect conversion of @ characters in protocol in the href field can lead to lead to failure to properly identify the hostname, which in turn could result in authorization bypass.

• CVE-2022-0686

  Rohan Sharma reported that url-parse is unable to find the correct hostname when no port number is provided in the URL, such as in http://example.com:. This could in turn result in SSRF attacks, open redirects or any other vulnerability which depends on the hostname field of the parsed URL.

• CVE-2022-0691

  url-parse is unable to find the correct hostname when the URL contains a backspace \b character. This tricks the parser into interpreting the URL as a relative path, bypassing all hostname checks. It can also lead to false positive in extractProtocol().

For Debian 10 buster, these problems have been fixed in version 1.2.0-2+deb10u2.

We recommend that you upgrade your node-url-parse packages.

For the detailed security status of node-url-parse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-url-parse

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS