Node.js is vulnerable to hostname spoofing. The hostname can be spoofed using a mixed case Javascript (e.g. javAscript
) protocol if the node.js application uses url.parse()
to determine the hostname of the URL. This causes hostname-based access controls to be incorrect and allows a remote attacker to bypass such access controls.