CVE-2022-1233 — URL Confusion When Scheme Not Supplied in medialize/uri.js

Description

Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.

How to fix CVE-2022-1233

To remediate CVE-2022-1233, upgrade the affected package to a fixed version below.

—upgrade to 1.19.11 or later

Is CVE-2022-1233 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.19.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-1233
PATCHgithub.com/medialize/uri.js
WEBgithub.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277
WEBhuntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c