Description
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.8
- Patched version(s): 1.19.8
References
- GHSA-gcv8-gh4r-25x6
- huntr.dev
- lists.fedoraproject.org
- CVE-2022-0613
- CWE-639
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- node-forge is vulnerable to ASN.1 OID Integer Truncation - CVE-2025-66030
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Budibase affected by VM2 Constructor Escape Vulnerability - Vulnerability
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on February 03, 2023