Description
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example): `
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.11
- Patched version(s): 1.19.11
References
Related Issues
- Leading white space bypasses protocol validation - CVE-2022-24723
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion - CVE-2022-39251
- steal vulnerable to Prototype Pollution via optionName variable - CVE-2022-37264
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on November 29, 2023