CVE-2022-0691: Url-parse Auth Bypass Vulnerability

CVE-2022-0691 Overview

CVE-2022-0691 is an Authorization Bypass Through User-Controlled Key vulnerability affecting the NPM url-parse package prior to version 1.5.9. This widely-used JavaScript library for parsing URLs contains a flaw in how it handles control characters at the beginning of URL strings, enabling attackers to manipulate URL parsing behavior and potentially bypass security controls that rely on accurate URL validation.

Critical Impact
This vulnerability allows attackers to craft malicious URLs that bypass authorization checks by exploiting improper handling of control characters, potentially leading to Server-Side Request Forgery (SSRF), open redirects, or authentication bypass in applications relying on url-parse for URL validation.

Affected Products

url-parse_project url-parse (versions prior to 1.5.9)
Node.js applications using vulnerable url-parse versions
Web applications relying on url-parse for URL validation and sanitization

Discovery Timeline

2022-02-21 - CVE-2022-0691 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0691

Vulnerability Analysis

The vulnerability exists in the url-parse library's whitespace trimming functionality. The library failed to properly strip all control characters from the beginning of input URLs before parsing. This incomplete sanitization allows attackers to prepend specific control characters (bytes \\x00 through \\x1f) to URLs, causing the parser to misinterpret the URL structure and potentially return incorrect host, protocol, or path information.

When applications use url-parse for security decisions—such as validating that a redirect URL points to an allowed domain or ensuring an API request targets an approved host—this parsing inconsistency can be exploited to bypass those checks. The attacker crafts a URL with leading control characters that causes url-parse to return different results than what the browser or server would actually navigate to.

Root Cause

The root cause lies in the whitespace regular expression pattern used to strip leading characters from URLs. The original implementation used a pattern that only matched a limited set of whitespace characters ([ \f\n\r\t\v\\u00a0\\u1680\\u2000-\\u200a\\u2028\\u2029\\u202f\\u205f\\u3000\\ufeff]), missing critical ASCII control characters in the \\x00-\\x1f range. This oversight allowed attackers to prepend control characters that would be stripped by browsers but not by url-parse, creating a parsing differential that could be exploited for authorization bypass.

Attack Vector

The attack leverages the network-accessible nature of web applications. An attacker with no authentication can submit crafted URLs containing leading control characters to any application endpoint that processes user-supplied URLs through the vulnerable url-parse library. The attack requires no user interaction and can be executed remotely with low complexity.

A typical attack scenario involves:

Identifying an application that uses url-parse for URL validation
Crafting a malicious URL with leading control characters (e.g., \\x00http://evil.com)
Submitting this URL where the application validates the destination
The url-parse library misparses the URL, allowing the attacker to bypass domain allowlists or redirect validation

javascript

// Security patch - Fix for control character handling
// Source: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63

   , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
   , windowsDriveLetter = /^[a-zA-Z]:/
-  , whitespace = /^[ \f\n\r\t\v\\u00a0\\u1680\\u2000-\\u200a\\u2028\\u2029\\u202f\\u205f\\u3000\\ufeff]+/;
+  , whitespace = /^[\\x00-\\x20\\u00a0\\u1680\\u2000-\\u200a\\u2028\\u2029\\u202f\\u205f\\u3000\\ufeff]+/;

 /**
  * Trim a given string.

Source: GitHub Commit Update

Detection Methods for CVE-2022-0691

Indicators of Compromise

HTTP requests containing URLs with unusual leading characters or null bytes
Log entries showing URL validation inconsistencies or unexpected redirect targets
Application errors related to URL parsing with malformed input
Unusual outbound connections from servers that perform URL-based operations

Detection Strategies

Implement Software Composition Analysis (SCA) tools to identify url-parse versions prior to 1.5.9 in your dependency tree
Monitor application logs for URLs containing control characters (\\x00-\\x1f) in user-submitted data
Deploy Web Application Firewall (WAF) rules to detect and block URLs with leading control characters
Use npm audit or similar dependency scanning to identify vulnerable packages in Node.js projects

Monitoring Recommendations

Enable verbose logging for URL validation and redirect functionality in affected applications
Set up alerts for unusual patterns in URL-related request parameters
Monitor for SSRF indicators such as internal IP addresses appearing in outbound request logs
Track dependency versions across your application portfolio to ensure timely patching

How to Mitigate CVE-2022-0691

Immediate Actions Required

Upgrade url-parse to version 1.5.9 or later immediately using npm update url-parse
Audit all applications using url-parse for URL validation in security-sensitive contexts
Implement additional input validation to strip control characters before URL parsing
Review application logs for potential exploitation attempts

Patch Information

The vulnerability has been addressed in url-parse version 1.5.9. The fix expands the whitespace regular expression to include all ASCII control characters (\\x00-\\x20) rather than just standard whitespace characters. This ensures that all potentially dangerous leading characters are stripped before URL parsing begins.

Patch details are available in the GitHub Commit Update. Additional information can be found in the Huntr Bounty Report.

Workarounds

Implement pre-processing to strip control characters from URLs before passing to url-parse
Use the native URL constructor available in modern Node.js versions as an alternative
Add server-side validation that normalizes URLs before security checks
Deploy WAF rules to reject requests containing URLs with leading control characters

bash

# Configuration example
# Update url-parse to patched version
npm install url-parse@1.5.9

# Alternatively, update to latest version
npm install url-parse@latest

# Verify the installed version
npm list url-parse

# Run npm audit to check for remaining vulnerabilities
npm audit

CVE-2022-0691 Overview

Critical Impact
This vulnerability allows attackers to craft malicious URLs that bypass authorization checks by exploiting improper handling of control characters, potentially leading to Server-Side Request Forgery (SSRF), open redirects, or authentication bypass in applications relying on url-parse for URL validation.

Affected Products

url-parse_project url-parse (versions prior to 1.5.9)
Node.js applications using vulnerable url-parse versions
Web applications relying on url-parse for URL validation and sanitization

Discovery Timeline

2022-02-21 - CVE-2022-0691 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0691

Vulnerability Analysis

Root Cause

Attack Vector

A typical attack scenario involves:

Identifying an application that uses url-parse for URL validation
Crafting a malicious URL with leading control characters (e.g., \\x00http://evil.com)
Submitting this URL where the application validates the destination
The url-parse library misparses the URL, allowing the attacker to bypass domain allowlists or redirect validation

javascript

// Security patch - Fix for control character handling
// Source: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63

   , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
   , windowsDriveLetter = /^[a-zA-Z]:/
-  , whitespace = /^[ \f\n\r\t\v\\u00a0\\u1680\\u2000-\\u200a\\u2028\\u2029\\u202f\\u205f\\u3000\\ufeff]+/;
+  , whitespace = /^[\\x00-\\x20\\u00a0\\u1680\\u2000-\\u200a\\u2028\\u2029\\u202f\\u205f\\u3000\\ufeff]+/;

 /**
  * Trim a given string.

Source: GitHub Commit Update

Detection Methods for CVE-2022-0691

Indicators of Compromise

HTTP requests containing URLs with unusual leading characters or null bytes
Log entries showing URL validation inconsistencies or unexpected redirect targets
Application errors related to URL parsing with malformed input
Unusual outbound connections from servers that perform URL-based operations

Detection Strategies

Implement Software Composition Analysis (SCA) tools to identify url-parse versions prior to 1.5.9 in your dependency tree
Monitor application logs for URLs containing control characters (\\x00-\\x1f) in user-submitted data
Deploy Web Application Firewall (WAF) rules to detect and block URLs with leading control characters
Use npm audit or similar dependency scanning to identify vulnerable packages in Node.js projects

Monitoring Recommendations

Enable verbose logging for URL validation and redirect functionality in affected applications
Set up alerts for unusual patterns in URL-related request parameters
Monitor for SSRF indicators such as internal IP addresses appearing in outbound request logs
Track dependency versions across your application portfolio to ensure timely patching

How to Mitigate CVE-2022-0691

Immediate Actions Required

Upgrade url-parse to version 1.5.9 or later immediately using npm update url-parse
Audit all applications using url-parse for URL validation in security-sensitive contexts
Implement additional input validation to strip control characters before URL parsing
Review application logs for potential exploitation attempts

Patch Information

Patch details are available in the GitHub Commit Update. Additional information can be found in the Huntr Bounty Report.

Workarounds

Implement pre-processing to strip control characters from URLs before passing to url-parse
Use the native URL constructor available in modern Node.js versions as an alternative
Add server-side validation that normalizes URLs before security checks
Deploy WAF rules to reject requests containing URLs with leading control characters

bash

# Configuration example
# Update url-parse to patched version
npm install url-parse@1.5.9

# Alternatively, update to latest version
npm install url-parse@latest

# Verify the installed version
npm list url-parse

# Run npm audit to check for remaining vulnerabilities
npm audit

CVE-2022-0691: Url-parse Auth Bypass Vulnerability

CVE-2022-0691 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-0691

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-0691

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-0691

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-0691: Url-parse Auth Bypass Vulnerability

CVE-2022-0691 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-0691

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-0691

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-0691

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform