Description
Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.
Recommendation
Update the url-parse package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.0, < 1.4.3
- Patched version(s): 1.4.3
References
Related Issues
- Open redirect in url-parse - url-parse - CVE-2021-3664
- Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass) - CVE-2026-42259
- Authorization Bypass Through User-Controlled Key in url-parse - CVE-2022-0686
- url-parse Incorrectly parses URLs that include an '@ - CVE-2022-0639
You might also like:
- Tags:
- npm
- url-parse
Anything's wrong? Let us know Last updated on January 23, 2026


