Vulnerability Details : CVE-2020-26291
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
Vulnerability category: Server-side request forgery (SSRF) Input validation
Products affected by CVE-2020-26291
- cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26291
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26291
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2020-26291
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-26291
-
https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155
fix(parse): treat backslash as forwardslash in authority (#403) · medialize/URI.js@b02bf03 · GitHubPatch;Third Party Advisory
-
https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg
Hostname spoofing via backslashes in URL · Advisory · medialize/URI.js · GitHubThird Party Advisory
-
https://github.com/medialize/URI.js/releases/tag/v1.19.4
Release 1.19.4 (December 23rd 2020) · medialize/URI.js · GitHubRelease Notes;Third Party Advisory
-
https://www.npmjs.com/package/urijs
urijs - npmThird Party Advisory
Jump to