Description
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example): `
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.11
- Patched version(s): 1.19.11
References
Related Issues
- URIjs Hostname spoofing via backslashes in URL - CVE-2021-27516
- Open Redirect in urijs - CVE-2022-0868
- Leading white space bypasses protocol validation - CVE-2022-24723
- Authorization Bypass Through User-Controlled Key in urijs - CVE-2022-0613
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on November 29, 2023