The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-0122

CVE-2022-0122: Digitalbazaar Forge URL Redirection Flaw

CVE-2022-0122 is a URL redirection to untrusted site vulnerability in Digitalbazaar Forge that allows attackers to redirect users to malicious sites. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2022-0122 Overview

CVE-2022-0122 is a URL Redirection to Untrusted Site vulnerability (CWE-601) affecting the DigitalBazaar Forge library, a popular JavaScript cryptography library used in Node.js applications. This open redirect vulnerability in the forge.util.parseUrl function could allow attackers to redirect users to malicious websites, potentially enabling phishing attacks or credential theft.

Critical Impact

Applications using the vulnerable parseUrl function may inadvertently redirect users to attacker-controlled websites, facilitating phishing campaigns and social engineering attacks.

Affected Products

  • digitalbazaar forge (Node.js package)
  • Applications using forge.util.parseUrl for URL handling
  • Systems relying on Forge for HTTP client URL parsing

Discovery Timeline

  • 2022-01-06 - CVE CVE-2022-0122 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0122

Vulnerability Analysis

The vulnerability exists in the forge.util.parseUrl function within the Forge library. This function was designed to parse the scheme, host, and port from HTTP(S) URLs using a regular expression. However, the regex pattern used for URL parsing was flawed, as noted in the code comment stating "FIXME: this regex looks a bit broken."

The broken regex pattern /^(https?):\\/\\/([^:&^\\/]*):?(\\d*)(.*)$/g failed to properly validate and sanitize URL inputs, allowing malicious URLs to be processed in unexpected ways. This could lead to open redirect vulnerabilities where user-supplied URLs are not properly validated before redirecting users.

The vulnerability can be exploited without authentication and requires user interaction (such as clicking a malicious link). If successful, the attacker can redirect victims from a trusted application to a malicious site, potentially compromising confidentiality and integrity of user data through phishing or credential harvesting attacks.

Root Cause

The root cause of this vulnerability is the use of a flawed regular expression in forge.util.parseUrl that does not properly validate URL inputs. The custom URL parsing implementation failed to handle edge cases and malicious inputs correctly, allowing URL manipulation that could result in open redirects. Additionally, the code maintained its own URL parsing logic rather than relying on well-tested browser or Node.js native URL parsing APIs.

Attack Vector

An attacker can exploit this vulnerability by crafting malicious URLs that bypass the flawed regex validation. When a vulnerable application uses forge.util.parseUrl to process user-controlled URLs and subsequently redirects users based on the parsed output, attackers can manipulate the destination to point to malicious sites.

The attack vector is network-based, requiring user interaction such as clicking a crafted link. Successful exploitation enables cross-site redirect attacks, which can be used for:

  • Phishing attacks impersonating legitimate services
  • Credential theft through fake login pages
  • Malware distribution through malicious redirects
javascript
// Vulnerable code removed from lib/util.js
// The parseUrl function used a broken regex for URL parsing
util.parseUrl = function(str) {
  // FIXME: this regex looks a bit broken
  var regex = /^(https?):\\/\\/([^:&^\\/]*):?(\\d*)(.*)$/g;
  regex.lastIndex = 0;
  var m = regex.exec(str);
  var url = (m === null) ? null : {
    full: str,
    scheme: m[1],
    host: m[2],
    port: m[3],
    path: m[4]
  };
  // ...
}

Source: GitHub Commit Reference

Detection Methods for CVE-2022-0122

Indicators of Compromise

  • Unusual redirect patterns in web application logs pointing to external domains
  • User reports of being redirected to unexpected or suspicious websites
  • HTTP referrer headers showing redirects from your application to known malicious domains
  • Increased phishing reports from users who visited links associated with your application

Detection Strategies

  • Review application code for usage of forge.util.parseUrl function calls
  • Implement URL validation logging to detect malformed or suspicious redirect attempts
  • Deploy web application firewalls (WAF) with rules to detect open redirect attack patterns
  • Use static code analysis tools to identify vulnerable Forge library versions in dependencies

Monitoring Recommendations

  • Monitor HTTP 302/301 redirect responses for unexpected external destinations
  • Set up alerts for high volumes of redirect requests to external domains
  • Implement Content Security Policy (CSP) headers to restrict redirect destinations
  • Track and audit all URL parsing operations in security-sensitive contexts

How to Mitigate CVE-2022-0122

Immediate Actions Required

  • Update the Forge library to the patched version that removes the vulnerable parseUrl function
  • Audit application code for any direct usage of forge.util.parseUrl and replace with secure alternatives
  • Implement server-side URL validation using allowlists for permitted redirect destinations
  • Review and update any URL handling logic that depends on the Forge library

Patch Information

The vulnerability was addressed by DigitalBazaar in commit db8016c805371e72b06d8e2edfe0ace0df934a5e. The fix removes the vulnerable forge.util.parseUrl function entirely and updates the HTTP client code to use the native URL API properties (protocol, hostname) instead of the custom parsed values (scheme, host).

The patch modifies lib/http.js to use standard URL object properties:

javascript
// Patched code in lib/http.js - uses native URL API
return 'forge.http.' +
  client.url.protocol.slice(0, -1) + '.' +
  client.url.hostname + '.' +
  client.url.port;

Source: GitHub Commit Reference

Workarounds

  • Avoid using forge.util.parseUrl and use the native URL constructor in JavaScript instead
  • Implement input validation with URL allowlists before processing user-supplied URLs
  • Add redirect confirmation pages that warn users before navigating to external sites
  • Apply strict URL validation using the built-in Node.js url module or browser URL API
bash
# Update forge package to latest version
npm update node-forge
# Or install specific patched version
npm install node-forge@latest

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechDigitalbazaar Forge
  • SeverityMEDIUM
  • CVSS Score6.1
  • EPSS Probability0.16%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-601
  • Vendor Resources
  • GitHub Commit Reference
  • Huntr Bug Bounty Report
  • Related CVEs
  • CVE-2022-24772: Digitalbazaar Forge Signature Forgery
  • CVE-2022-24771: Digitalbazaar Forge Signature Forgery Flaw
  • CVE-2025-12816: Digitalbazaar Forge Auth Bypass Vulnerability
  • CVE-2025-66031: Digitalbazaar Forge DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English