Bugzilla – Bug 1196743
VUL-1: CVE-2022-24723: nodejs10,nodejs6,nodejs8,nodejs12,nodejs14,nodejs4,nodejs16: Leading white space bypasses protocol validation in URI.js
Last modified: 2022-03-07 13:34:14 UTC
CVE-2022-24723 URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround. Upstream fix: https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24723 https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f http://www.cvedetails.com/cve/CVE-2022-24723/ https://github.com/medialize/URI.js/releases/tag/v1.19.9 https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/
We bundle a node-uri-js in some of the nodejs packages, but this module is garycourt/uri-js, and not medialize/URI.js. Therefore, I think we're not affected.
(In reply to Thomas Leroy from comment #1) > We bundle a node-uri-js in some of the nodejs packages, but this module is > garycourt/uri-js, and not medialize/URI.js. Therefore, I think we're not > affected. Can you confirm @Adam please? :)
Correct, this appears to be a different one. We have uri-js, not urijs :-) I've just tested the version shipped as part of nodejs14 with the reproducer, > > require('./dist/es5/uri.all.js').parse("\bhttp://google.com"); > { > scheme: 'http', > userinfo: undefined, > host: 'google.com', > port: undefined, > path: '', > query: undefined, > fragment: undefined, > reference: 'absolute' > }
Great! Thank you very much Adam!
Closing