Description
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.9
- Patched version(s): 1.19.9
References
Related Issues
- Incorrect protocol extraction via \r, \n and \t characters - CVE-2022-1243
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery - CVE-2022-41340
- parse-server auth adapter app ID validation can be circumvented - CVE-2022-39231
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on February 03, 2023