CVE-2022-0512 Overview
CVE-2022-0512 is an Authorization Bypass Through User-Controlled Key vulnerability affecting the url-parse NPM package prior to version 1.5.6. This popular JavaScript library is used for parsing URLs in Node.js applications, and the vulnerability allows attackers to manipulate URL parsing logic through specially crafted URLs containing the @ character in the userinfo portion.
Critical Impact
Attackers can craft malicious URLs that bypass authorization controls by manipulating how the url-parse library interprets the hostname and userinfo components, potentially leading to open redirect attacks or server-side request forgery (SSRF) in applications that rely on this library for URL validation.
Affected Products
- url-parse NPM package versions prior to 1.5.6
- Node.js applications using vulnerable url-parse versions
- Web applications relying on url-parse for URL validation and parsing
Discovery Timeline
- 2022-02-14 - CVE-2022-0512 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0512
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw exists in how the url-parse library handles URLs containing the @ character within the userinfo portion. The library incorrectly uses indexOf() to find the @ delimiter, which returns the first occurrence. When a URL contains multiple @ characters, this can lead to incorrect parsing of the hostname.
For example, a URL like http://attacker.com%40legitimate.com@malicious.com/ would be incorrectly parsed, potentially causing applications to believe they are connecting to legitimate.com when the actual destination is malicious.com. This parsing discrepancy can be exploited to bypass URL-based authorization checks, access controls, or allowlist validations.
Root Cause
The root cause lies in the URL parsing logic that uses indexOf('@') to locate the userinfo delimiter. Since indexOf() returns the position of the first occurrence of a character, URLs containing multiple @ characters (including URL-encoded %40) are parsed incorrectly. The hostname extraction logic would stop at the wrong delimiter, causing the parsed hostname to differ from the actual destination server.
Attack Vector
This vulnerability is exploitable over the network without authentication. Attackers can craft malicious URLs and submit them to applications that use the vulnerable url-parse library for URL validation. The attack is particularly effective against:
- Open redirect prevention mechanisms
- SSRF protection filters
- URL allowlist/blocklist implementations
- OAuth redirect URI validation
The fix changes the parsing logic to use lastIndexOf('@') instead of indexOf('@') when parsing the userinfo portion, ensuring the correct delimiter is identified:
if (parse !== parse) {
url[key] = address;
} else if ('string' === typeof parse) {
- if (~(index = address.indexOf(parse))) {
+ index = parse === '@'
+ ? address.lastIndexOf(parse)
+ : address.indexOf(parse);
+
+ if (~index) {
if ('number' === typeof instruction[2]) {
url[key] = address.slice(0, index);
address = address.slice(index + instruction[2]);
Source: GitHub Commit 9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40
Detection Methods for CVE-2022-0512
Indicators of Compromise
- HTTP requests containing URLs with multiple @ characters or URL-encoded %40 sequences
- Unusual redirect patterns where the logged destination differs from the actual destination
- Application logs showing hostname parsing discrepancies
- Requests to unexpected external domains following URL validation
Detection Strategies
- Implement software composition analysis (SCA) tools to identify vulnerable url-parse versions in your dependency tree
- Use npm audit or yarn audit to detect known vulnerabilities in JavaScript dependencies
- Monitor application logs for URLs containing multiple @ characters in the userinfo portion
- Deploy web application firewall (WAF) rules to detect URL manipulation attempts
Monitoring Recommendations
- Review npm package lock files (package-lock.json or yarn.lock) for url-parse versions below 1.5.6
- Implement continuous dependency scanning in CI/CD pipelines
- Monitor for security advisories related to url-parse and similar URL parsing libraries
- Set up alerts for unusual URL patterns in request logs
How to Mitigate CVE-2022-0512
Immediate Actions Required
- Upgrade url-parse to version 1.5.6 or later immediately
- Run npm audit fix or yarn upgrade url-parse to update the package
- Review applications that use url-parse for URL validation or parsing logic
- Audit any URL-based authorization controls that rely on url-parse
Patch Information
The vulnerability has been fixed in url-parse version 1.5.6. The patch modifies the parsing logic to correctly handle URLs containing multiple @ characters by using lastIndexOf('@') for userinfo parsing. For detailed information, see the GitHub Commit Change and the Huntr Bug Bounty Report. Debian users should also refer to the Debian LTS Security Announcement.
Workarounds
- If immediate upgrade is not possible, implement additional URL validation at the application layer before passing URLs to url-parse
- Use URL validation regex patterns to reject URLs containing multiple @ characters
- Consider using the built-in URL class in modern Node.js versions as an alternative to url-parse
- Implement allowlist validation on parsed hostnames using a secondary parsing method
# Update url-parse to the patched version
npm update url-parse@1.5.6
# Or using yarn
yarn upgrade url-parse@1.5.6
# Verify the installed version
npm list url-parse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
