CVE-2021-3664 Overview
CVE-2021-3664 is a URL Redirection to Untrusted Site vulnerability affecting the url-parse npm package, a popular JavaScript library used for parsing URLs in Node.js applications. The vulnerability allows attackers to manipulate URL parsing behavior, potentially redirecting users to malicious websites by exploiting improper handling of protocol schemes and slashes.
Critical Impact
Applications using vulnerable versions of url-parse may be susceptible to open redirect attacks, allowing attackers to redirect users to phishing sites or malicious domains while appearing to originate from a trusted source.
Affected Products
- url-parse (Node.js package)
- Applications dependent on url-parse for URL parsing and validation
- Web applications using url-parse for redirect handling
Discovery Timeline
- 2021-07-26 - CVE-2021-3664 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3664
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site), commonly known as an Open Redirect vulnerability. The issue stems from improper handling of URL protocols and slash characters in the url-parse library. When parsing URLs with special protocol schemes (such as http:, https:, ftp:, file:, ws:, and wss:), the library failed to properly validate and normalize slashes following the protocol identifier.
The network-based attack vector allows remote exploitation without requiring any privileges or user interaction. The vulnerability impacts the integrity of URL parsing operations, potentially causing applications to misinterpret malicious URLs as legitimate ones.
Root Cause
The root cause of CVE-2021-3664 lies in the url-parse library's failure to distinguish between special and non-special URL protocol schemes when processing slashes after the protocol. Special URL schemes have specific parsing rules defined by the URL Living Standard, particularly regarding how authority components and path separators are handled. The vulnerable code did not implement proper scheme-specific validation, allowing attackers to craft URLs that bypass security checks.
Attack Vector
Attackers can exploit this vulnerability by crafting malicious URLs with manipulated protocol schemes and slash patterns. When a vulnerable application uses url-parse to validate or process redirect URLs, the attacker-controlled URL may be interpreted differently than intended, potentially bypassing allowlist checks or domain validation. This enables open redirect attacks where users believe they are being redirected to a trusted domain but are actually sent to an attacker-controlled site.
// Security patch in index.js - [fix] Ignore slashes after the protocol for special URLs
return finaldestination;
}
+/**
+ * Check whether a protocol scheme is special.
+ *
+ * @param {String} The protocol scheme of the URL
+ * @return {Boolean} `true` if the protocol scheme is special, else `false`
+ * @private
+ */
+function isSpecial(scheme) {
+ return (
+ scheme === 'file:' ||
+ scheme === 'ftp:' ||
+ scheme === 'http:' ||
+ scheme === 'https:' ||
+ scheme === 'ws:' ||
+ scheme === 'wss:'
+ );
+}
+
/**
* @typedef ProtocolExtract
* @type Object
Source: GitHub Commit
Detection Methods for CVE-2021-3664
Indicators of Compromise
- Unusual redirect patterns in web application logs pointing to unexpected external domains
- Application behavior where URL validation passes for malformed URLs containing abnormal slash sequences after protocol schemes
- User reports of being redirected to suspicious or phishing websites from trusted application links
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable versions of url-parse in your dependency tree
- Monitor npm audit reports for known vulnerabilities in url-parse and related packages
- Review application logs for redirect URLs containing unusual protocol and slash combinations
Monitoring Recommendations
- Configure web application firewalls (WAF) to detect and alert on potential open redirect attempts
- Enable logging for all URL redirect operations and implement anomaly detection for unexpected destination domains
- Regularly scan application dependencies using tools like npm audit, Snyk, or OWASP Dependency-Check
How to Mitigate CVE-2021-3664
Immediate Actions Required
- Update url-parse to a patched version that includes the security fix (commit 81ab967889b08112d3356e451bf03e6aa0cbb7e0)
- Audit all applications using url-parse for potential open redirect vulnerabilities
- Review and strengthen server-side URL validation logic to not rely solely on client-side parsing libraries
Patch Information
The vulnerability has been addressed in commit 81ab967889b08112d3356e451bf03e6aa0cbb7e0 in the url-parse GitHub repository. The fix introduces an isSpecial() function that properly identifies special URL schemes (file:, ftp:, http:, https:, ws:, wss:) and applies appropriate slash handling rules. Debian users should also refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Implement server-side URL allowlisting that explicitly validates the full URL including protocol and domain before processing redirects
- Use the native URL constructor in Node.js as an alternative for URL parsing when possible, as it adheres to the WHATWG URL Standard
- Add additional validation layers that check for unexpected slash patterns in URLs before passing them to url-parse
# Configuration example
# Update url-parse to the latest patched version
npm update url-parse
# Audit your project dependencies for vulnerabilities
npm audit
# Check for vulnerable url-parse versions in your dependency tree
npm ls url-parse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
