Open Redirect in url-parse

Severity:: High

Description

Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.

Recommendation

Update the url-parse package to the latest compatible version. Followings are version details:

Affected version(s): >= 1.0.0, < 1.4.3
Patched version(s): 1.4.3

References

GHSA-pv4c-p2j5-38j4
hackerone.com
CVE-2018-3774
CWE-425
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Open redirect in url-parse (GHSA-hh27-ffr2-f2jc) - CVE-2021-3664
Improper Validation and Sanitization in url-parse - CVE-2020-8124
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
url-parse Incorrectly parses URLs that include an '@ - CVE-2022-0639

Tags:: npm; url-parse

Anything's wrong? Let us know Last updated on January 23, 2026