Lucene search
GoogleOSV:GHSA-GMV4-R438-P67FHistoryMar 03, 2022 - 7:23 p.m.
Leading white space bypasses protocol validation
2022-03-0319:23:36
Google
osv.dev
18
protocol validation
leading whitespace
patched.
EPSS
0.001
Percentile
47.2%
Impact
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patches
Patched in 1.19.9
Workarounds
Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value) or new URI(value)), e.g. by using
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in medialize/URI.js
References
github.com/medialize/URI.js
github.com/medialize/URI.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
github.com/medialize/URI.js/releases/tag/v1.19.9
github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5
nvd.nist.gov/vuln/detail/CVE-2022-24723
Related
github
github
Leading white space bypasses protocol validation
2022-03-03 19:23:36
cvelist
cvelist
CVE-2022-24723 Improper Input Validation in URI.js
2022-03-03 20:35:11
prion
prion
Input validation
2022-03-03 21:15:00
huntr
huntr
Protocol/Hostname spoofing via Improper Input Validation
2022-02-27 02:50:37
osv
osv
CVE-2022-24723
2022-03-03 21:15:07
cve
cve
CVE-2022-24723
2022-03-03 21:15:07
redhatcve
redhatcve
CVE-2022-24723
2022-03-09 16:57:45
cnvd
cnvd
Medialize URI.js Input Validation Error Vulnerability (CNVD-2022-19502)
2022-03-04 00:00:00
nvd
nvd
CVE-2022-24723
2022-03-03 21:15:07
veracode
veracode
Cross-site Scripting (XSS)
2022-03-04 04:13:53
ubuntucve
ubuntucve
CVE-2022-24723
2022-03-03 00:00:00
nessus
nessus
RHEL 8 : dotnet5.0 (Unpatched Vulnerability)
2024-06-03 00:00:00
ibm
ibm
redhat
redhat