Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patched in 1.19.9
Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value)
or new URI(value)
), e.g. by using
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
If you have any questions or comments about this advisory:
github.com/medialize/URI.js
github.com/medialize/URI.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
github.com/medialize/URI.js/releases/tag/v1.19.9
github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5
nvd.nist.gov/vuln/detail/CVE-2022-24723