Plattform
nodejs
Komponente
parse-url
Behoben in
7.0.0
CVE-2022-2217 is a Cross-Site Scripting (XSS) vulnerability affecting the ionicabizau/parse-url Node.js library prior to version 7.0.0. This vulnerability allows attackers to inject malicious scripts into web pages, potentially leading to data theft and session hijacking. The vulnerability was published on June 27, 2022, and a fix is available in version 7.0.0.
The parse-url library is commonly used in Node.js applications to parse URLs. A successful XSS attack leverages this library to inject arbitrary JavaScript code into the application's output. This code can then be executed in the context of the user's browser, allowing the attacker to steal cookies, session tokens, or other sensitive information. The impact is particularly severe if the application processes user-supplied URLs without proper sanitization. This could lead to widespread compromise of user accounts and data, especially in applications heavily reliant on URL parsing for functionality.
CVE-2022-2217 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, indicating a moderate risk of exploitation. The vulnerability's ease of exploitation and the widespread use of the parse-url library suggest that it is a high-priority target for attackers.
Applications built with Node.js that utilize the ionicabizau/parse-url library for URL parsing are at risk. This includes web applications, APIs, and backend services that process user-supplied URLs without proper sanitization. Projects relying on older versions of the library, particularly those with limited security testing or outdated dependencies, are especially vulnerable.
• nodejs / server:
npm list parse-urlIf the output shows a version less than 7.0.0, the system is vulnerable. • nodejs / server:
npm audit parse-urlThis command will identify if the parse-url package has a vulnerability and suggest an upgrade.
• generic web:
Inspect application logs for unusual URL patterns or JavaScript execution errors that might indicate an attempted XSS attack.
disclosure
patch
Exploit-Status
EPSS
0.29% (53% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-2217 is to upgrade to version 7.0.0 or later of the ionicabizau/parse-url library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding to sanitize URLs before they are processed by the application. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review your application's URL parsing logic to ensure that user-supplied data is properly validated and escaped.
Actualice la dependencia `parse-url` a la versión 7.0.0 o superior. Esto corrige la vulnerabilidad XSS. Ejecute `npm install parse-url@latest` o `yarn add parse-url@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-2217 is a CRITICAL Cross-Site Scripting (XSS) vulnerability in the ionicabizau/parse-url Node.js library, allowing attackers to inject malicious scripts.
You are affected if your project uses ionicabizau/parse-url versions less than or equal to 7.0.0. Check your dependencies with npm list parse-url.
Upgrade to version 7.0.0 or later of the ionicabizau/parse-url library using npm install [email protected].
Public proof-of-concept exploits are available, indicating a moderate risk of exploitation.
Refer to the ionicabizau/parse-url repository on GitHub for the advisory and release notes: https://github.com/ionicabizau/parse-url/releases/tag/7.0.0
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.