Bug 1989389 (CVE-2021-3664) - CVE-2021-3664 nodejs-url-parse: URL Redirection to Untrusted Site
Summary: CVE-2021-3664 nodejs-url-parse: URL Redirection to Untrusted Site
Keywords:
Status: NEW
Alias: CVE-2021-3664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1992093 1992094 1992095 1992783 1992784 1992785 1992786 1992787 1992819 1995342
Blocks: 1989390
TreeView+ depends on / blocked
 
Reported: 2021-08-03 06:16 UTC by Dhananjay Arunesh
Modified: 2023-10-25 17:21 UTC (History)
38 users (show)

Fixed In Version: url-parse 1.5.2
Doc Type: No Doc Update
Doc Text:
An input validation flaw was found in the nodejs url-parse library, which incorrectly parses a URL that contains backslashes. This flaw allows an attacker to specify a relative URL and cause the browser to redirect to a malicious website. The highest threat from this vulnerability is to integrity. Related vulnerability is CVE-2021-27515.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-08-03 06:16:35 UTC 
A vulnerability was found in nodejs-url-parse where url-parse is vulnerable to URL Redirection to Untrusted Site.

References:
https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0
Comment 5 Stoyan Nikolov 2021-08-03 08:00:51 UTC 
Upstream fix: https://github.com/unshiftio/url-parse/pull/208
Comment 6 Przemyslaw Roguski 2021-08-04 17:34:21 UTC 
This vulnerability is exactly like CVE-2021-27515.
The fix looks like a incomplete fix for CVE-2021-27515 (https://github.com/unshiftio/url-parse/pull/197/files).
Comment 11 Jon Blackburn 2021-08-12 14:48:08 UTC 
This is only pulled in by default with the webpack-dev-server.  We don't actually use the url-parse package in our application.  Is there anything else we need to do with this?
Note You need to log in before you can comment on or make changes to this bug.