Improper Input Validation in url-js
Moderate severity
GitHub Reviewed
Published
Mar 12, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Mar 11, 2022
Published to the GitHub Advisory Database
Mar 12, 2022
Reviewed
Mar 14, 2022
Last updated
Jan 27, 2023
The package url-js before 2.1.0 is vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.
References