Plattform
nodejs
Komponente
parse-url
Behoben in
8.1.0
CVE-2022-2900 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the parse-url Node.js package. This flaw allows attackers to manipulate the package into making requests to unintended internal or external resources, potentially leading to sensitive data exposure or unauthorized access. Versions of parse-url prior to 8.1.0 are affected, and a patch has been released.
The SSRF vulnerability in parse-url allows an attacker to craft malicious URLs that, when processed by the application, result in the server making requests to unintended destinations. This can lead to several severe consequences. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers (databases, configuration files), or even interact with internal APIs without proper authentication. The blast radius extends to any internal resources accessible via HTTP/HTTPS, making this a high-risk vulnerability.
CVE-2022-2900 was publicly disclosed on September 14, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, and an EPSS score is pending evaluation. Public proof-of-concept exploits are available, increasing the risk of exploitation.
Applications built with Node.js that utilize the parse-url package are at risk. This includes web applications, APIs, and backend services that process URLs from external sources. Projects relying on older versions of parse-url without robust input validation are particularly vulnerable.
• nodejs / server:
npm list parse-url
# Check for versions <= 8.1.0• nodejs / server:
find /usr/local/lib/node_modules /opt/node_modules -name "parse-url" -print0 | xargs -0 grep -i "//internal.example.com"
# Look for internal URLs in the package codedisclosure
Exploit-Status
EPSS
0.43% (63% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-2900 is to immediately upgrade the parse-url package to version 8.1.0 or higher. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on URLs processed by the application. Specifically, restrict the allowed URL schemes and domains to prevent the package from making requests to unintended locations. Web Application Firewalls (WAFs) can also be configured to block requests containing suspicious URL patterns. After upgrading, confirm the fix by attempting to craft a malicious URL and verifying that it is properly blocked or sanitized.
Aktualisieren Sie die Abhängigkeit 'parse-url' auf Version 8.1.0 oder höher. Dies behebt die SSRF-Vulnerabilität. Führen Sie 'npm install parse-url@latest' oder 'yarn add parse-url@latest' aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-2900 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the parse-url Node.js package up to 8.1.0, allowing attackers to make requests to unintended resources.
If your Node.js project uses parse-url version 8.1.0 or earlier, you are potentially affected. Check your dependencies with npm list parse-url.
Upgrade the parse-url package to version 8.1.0 or later using npm install parse-url@latest. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are publicly known, the SSRF nature of the vulnerability makes it a potential target for attackers.
Refer to the parse-url repository on GitHub for updates and advisories: https://github.com/ionicabizau/parse-url
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.