CVE-2022-1233

MEDIUM6.5EPSS 0.18%

URL Confusion When Scheme Not Supplied in medialize/uri.js

Published: 4/5/2022Modified: 11/8/2023

Description

Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.

Affected packages (1)

npm/urijsfrom 0, < 1.19.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1233
PATCHhttps://github.com/medialize/uri.js
WEBhttps://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277
WEBhttps://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c