Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
16 vulnerabilities found for url-parse by url-parse_project
CVE-2022-0691 (GCVE-0-2022-0691)
Vulnerability from cvelistv5 – Published: 2022-02-21 00:00 – Updated: 2024-08-02 23:40
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "57124ed5-4b68-4934-8325-2c546257f2e4",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0691",
"datePublished": "2022-02-21T00:00:00.000Z",
"dateReserved": "2022-02-20T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0686 (GCVE-0-2022-0686)
Vulnerability from cvelistv5 – Published: 2022-02-20 00:00 – Updated: 2024-08-02 23:40
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "55fd06cd-9054-4d80-83be-eb5a454be78c",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0686",
"datePublished": "2022-02-20T00:00:00.000Z",
"dateReserved": "2022-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0639 (GCVE-0-2022-0639)
Vulnerability from cvelistv5 – Published: 2022-02-17 00:00 – Updated: 2025-12-16 17:06
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-16T17:06:51.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "83a6bc9a-b542-4a38-82cd-d995a1481155",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0639",
"datePublished": "2022-02-17T00:00:00.000Z",
"dateReserved": "2022-02-16T00:00:00.000Z",
"dateUpdated": "2025-12-16T17:06:51.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0512 (GCVE-0-2022-0512)
Vulnerability from cvelistv5 – Published: 2022-02-14 00:00 – Updated: 2024-08-02 23:32
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:45.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "6d1bc51f-1876-4f5b-a2c2-734e09e8e05b",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0512",
"datePublished": "2022-02-14T00:00:00.000Z",
"dateReserved": "2022-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:45.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3664 (GCVE-0-2021-3664)
Vulnerability from cvelistv5 – Published: 2021-07-26 00:00 – Updated: 2024-08-03 17:01
VLAI
Title
Open Redirect in unshiftio/url-parse
Summary
url-parse is vulnerable to URL Redirection to Untrusted Site
Severity
5.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , ≤ 1.5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625557993985-unshiftio/url-parse"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThanOrEqual": "1.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "url-parse is vulnerable to URL Redirection to Untrusted Site"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/1625557993985-unshiftio/url-parse"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "1625557993985-unshiftio/url-parse",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3664",
"datePublished": "2021-07-26T00:00:00.000Z",
"dateReserved": "2021-07-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:01:07.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27515 (GCVE-0-2021-27515)
Vulnerability from cvelistv5 – Published: 2021-02-21 00:00 – Updated: 2024-08-03 21:26
VLAI
Summary
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/pull/197"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4306"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0"
},
{
"url": "https://github.com/unshiftio/url-parse/pull/197"
},
{
"url": "https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0"
},
{
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4306"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27515",
"datePublished": "2021-02-21T00:00:00.000Z",
"dateReserved": "2021-02-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T21:26:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8124 (GCVE-0-2020-8124)
Vulnerability from cvelistv5 – Published: 2020-02-04 19:08 – Updated: 2024-08-04 09:48
VLAI
Summary
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
Severity
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation (CWE-20)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/496293 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/496293"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "url-parse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Version 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T19:08:56.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/496293"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8124",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "url-parse",
"version": {
"version_data": [
{
"version_value": "Fixed Version 1.4.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/496293",
"refsource": "MISC",
"url": "https://hackerone.com/reports/496293"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8124",
"datePublished": "2020-02-04T19:08:56.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:48:25.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3774 (GCVE-0-2018-3774)
Vulnerability from cvelistv5 – Published: 2018-08-12 22:00 – Updated: 2024-08-05 04:50
VLAI
Summary
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Severity
No CVSS data available.
CWE
- CWE-425 - Forced Browsing (CWE-425)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/unshiftio/url-parse/commit/d7b… | x_refsource_CONFIRM |
| https://hackerone.com/reports/384029 | x_refsource_MISC |
| https://github.com/unshiftio/url-parse/commit/53b… | x_refsource_CONFIRM |
Date Public
2018-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/384029"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "url-parse",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "1.4.3"
}
]
}
],
"datePublic": "2018-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect parsing in url-parse \u003c1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Forced Browsing (CWE-425)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-12T21:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/384029"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-3774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "url-parse",
"version": {
"version_data": [
{
"version_value": "1.4.3"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect parsing in url-parse \u003c1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Forced Browsing (CWE-425)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de",
"refsource": "CONFIRM",
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"name": "https://hackerone.com/reports/384029",
"refsource": "MISC",
"url": "https://hackerone.com/reports/384029"
},
{
"name": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a",
"refsource": "CONFIRM",
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3774",
"datePublished": "2018-08-12T22:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-05T04:50:30.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0691 (GCVE-0-2022-0691)
Vulnerability from nvd – Published: 2022-02-21 00:00 – Updated: 2024-08-02 23:40
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "57124ed5-4b68-4934-8325-2c546257f2e4",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0691",
"datePublished": "2022-02-21T00:00:00.000Z",
"dateReserved": "2022-02-20T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0686 (GCVE-0-2022-0686)
Vulnerability from nvd – Published: 2022-02-20 00:00 – Updated: 2024-08-02 23:40
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "55fd06cd-9054-4d80-83be-eb5a454be78c",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0686",
"datePublished": "2022-02-20T00:00:00.000Z",
"dateReserved": "2022-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0639 (GCVE-0-2022-0639)
Vulnerability from nvd – Published: 2022-02-17 00:00 – Updated: 2025-12-16 17:06
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Severity
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-16T17:06:51.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "83a6bc9a-b542-4a38-82cd-d995a1481155",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0639",
"datePublished": "2022-02-17T00:00:00.000Z",
"dateReserved": "2022-02-16T00:00:00.000Z",
"dateUpdated": "2025-12-16T17:06:51.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0512 (GCVE-0-2022-0512)
Vulnerability from nvd – Published: 2022-02-14 00:00 – Updated: 2024-08-02 23:32
VLAI
Title
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Summary
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , < 1.5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:45.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThan": "1.5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "6d1bc51f-1876-4f5b-a2c2-734e09e8e05b",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0512",
"datePublished": "2022-02-14T00:00:00.000Z",
"dateReserved": "2022-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:45.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3664 (GCVE-0-2021-3664)
Vulnerability from nvd – Published: 2021-07-26 00:00 – Updated: 2024-08-03 17:01
VLAI
Title
Open Redirect in unshiftio/url-parse
Summary
url-parse is vulnerable to URL Redirection to Untrusted Site
Severity
5.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unshiftio | unshiftio/url-parse |
Affected:
unspecified , ≤ 1.5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625557993985-unshiftio/url-parse"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unshiftio/url-parse",
"vendor": "unshiftio",
"versions": [
{
"lessThanOrEqual": "1.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "url-parse is vulnerable to URL Redirection to Untrusted Site"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/1625557993985-unshiftio/url-parse"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"source": {
"advisory": "1625557993985-unshiftio/url-parse",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in unshiftio/url-parse"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3664",
"datePublished": "2021-07-26T00:00:00.000Z",
"dateReserved": "2021-07-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:01:07.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27515 (GCVE-0-2021-27515)
Vulnerability from nvd – Published: 2021-02-21 00:00 – Updated: 2024-08-03 21:26
VLAI
Summary
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/pull/197"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4306"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0"
},
{
"url": "https://github.com/unshiftio/url-parse/pull/197"
},
{
"url": "https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0"
},
{
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4306"
},
{
"name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27515",
"datePublished": "2021-02-21T00:00:00.000Z",
"dateReserved": "2021-02-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T21:26:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8124 (GCVE-0-2020-8124)
Vulnerability from nvd – Published: 2020-02-04 19:08 – Updated: 2024-08-04 09:48
VLAI
Summary
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
Severity
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation (CWE-20)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/496293 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/496293"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "url-parse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Version 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T19:08:56.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/496293"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8124",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "url-parse",
"version": {
"version_data": [
{
"version_value": "Fixed Version 1.4.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/496293",
"refsource": "MISC",
"url": "https://hackerone.com/reports/496293"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8124",
"datePublished": "2020-02-04T19:08:56.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:48:25.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3774 (GCVE-0-2018-3774)
Vulnerability from nvd – Published: 2018-08-12 22:00 – Updated: 2024-08-05 04:50
VLAI
Summary
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Severity
No CVSS data available.
CWE
- CWE-425 - Forced Browsing (CWE-425)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/unshiftio/url-parse/commit/d7b… | x_refsource_CONFIRM |
| https://hackerone.com/reports/384029 | x_refsource_MISC |
| https://github.com/unshiftio/url-parse/commit/53b… | x_refsource_CONFIRM |
Date Public
2018-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/384029"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "url-parse",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "1.4.3"
}
]
}
],
"datePublic": "2018-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect parsing in url-parse \u003c1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Forced Browsing (CWE-425)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-12T21:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/384029"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-3774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "url-parse",
"version": {
"version_data": [
{
"version_value": "1.4.3"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect parsing in url-parse \u003c1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Forced Browsing (CWE-425)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de",
"refsource": "CONFIRM",
"url": "https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de"
},
{
"name": "https://hackerone.com/reports/384029",
"refsource": "MISC",
"url": "https://hackerone.com/reports/384029"
},
{
"name": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a",
"refsource": "CONFIRM",
"url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3774",
"datePublished": "2018-08-12T22:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-05T04:50:30.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}