Vulnerability Description
The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Url-Js Project | Url-Js | < 2.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/duzun/URL.js/commit/9dc9fcc99baa4cbda24403d81a589e9b0f4121d0PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-URLJS-2414030ExploitPatchThird Party Advisory
- https://github.com/duzun/URL.js/commit/9dc9fcc99baa4cbda24403d81a589e9b0f4121d0PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-URLJS-2414030ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-25839?
CVE-2022-25839 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://loca...
How severe is CVE-2022-25839?
CVE-2022-25839 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25839?
Check the references section above for vendor advisories and patch information. Affected products include: Url-Js Project Url-Js.