Hostname spoofing via backslashes in URL

Description

If using affected versions to determine a URL’s hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Recommendation

Update the urijs package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.19.4
• Patched version(s): 1.19.4

References

• GHSA-3329-pjwv-fjpg
• www.npmjs.com
• CVE-2020-26291
• CWE-20
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• URIjs Hostname spoofing via backslashes in URL - CVE-2021-27516
• URIjs Vulnerable to Hostname spoofing via backslashes in URL - CVE-2021-3647
• rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters - CVE-2023-26491
• SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

urijs