CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
47.2%
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patched in 1.19.9
Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value)
or new URI(value)
), e.g. by using
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-gmv4-r438-p67f
github.com/medialize/URI.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
github.com/medialize/URI.js/releases/tag/v1.19.9
github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/
nvd.nist.gov/vuln/detail/CVE-2022-24723
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
47.2%