Description
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.9
- Patched version(s): 1.19.9
References
Related Issues
- secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery - CVE-2022-41340
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- Incorrect protocol extraction via \r, \n and \t characters - CVE-2022-1243
- JWS and JWT signature validation vulnerability with special characters - CVE-2022-25898
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on February 03, 2023