Description
A specially crafted URL with an ‘@’ sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href.
Recommendation
Update the url-parse package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.5.7
- Patched version(s): 1.5.7
References
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- ejson shell parser in MongoDB Compass maybe bypassed - CVE-2024-6376
- Tags:
- npm
- url-parse
Anything's wrong? Let us know Last updated on September 11, 2023