Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
AnalysisAI
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. Affected products include: Url-Parse Project Url-Parse. Version information: before 1.5.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. Rated critical severity (CVSS 9.8), th
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. Rated critical severity (CVSS 9.1), th
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. Rated medium severity (CVSS 5.3), this
url-parse is vulnerable to URL Redirection to Untrusted Site. Rated medium severity (CVSS 5.3), this vulnerability is re
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may all
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today