CVE-2022-25839

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
snykCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
url-js_projecturl-js
𝑥
< 2.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/duzun/URL.js/commit/9dc9fcc99baa4cbda24403d81a589e9b0f4121d0
https://snyk.io/vuln/SNYK-JS-URLJS-2414030
https://github.com/duzun/URL.js/commit/9dc9fcc99baa4cbda24403d81a589e9b0f4121d0
https://snyk.io/vuln/SNYK-JS-URLJS-2414030