Skip to content

Hostname spoofing via backslashes in URL

Moderate
rodneyrehm published GHSA-3329-pjwv-fjpg Dec 30, 2020

Package

npm urijs (npm)

Affected versions

< 1.19.4

Patched versions

1.19.4

Description

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https://expected-example.com\@observed-example.com
Escaped string: https://expected-example.com\\@observed-example.com (JavaScript strings must escape backslash)

Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
PR #233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Alesandro Ortiz

Severity

Moderate

CVE ID

CVE-2020-26291

Weaknesses

No CWEs

Credits