CVE-2022-1243

Description

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11. This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example): ```` const parse = require('urijs') const express = require('express') const app = express() const port = 3000 input = "ja\r\nvascript:alert(1)" url = parse(input) console.log(url) app.get('/', (req, res) => { if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ````

How to fix CVE-2022-1243

To remediate CVE-2022-1243, upgrade the affected package to a fixed version below.

• —upgrade to 1.19.11 or later

Is CVE-2022-1243 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.19.11

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-1243
• PATCHgithub.com/medialize/uri.js
• WEBgithub.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae
• WEBhuntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7