CRITICALCVE-2018-3774CVSS 10

CVE-2018-3774: Open Redirect in url-parse

Platform

nodejs

Component

url-parse

Fixed in

1.4.3

AI Confidence: highNVDEPSS 1.7%Reviewed: May 2026

View on NVD

Save

CVE-2018-3774 is an Open Redirect vulnerability affecting versions of the url-parse package prior to 1.4.3. This flaw stems from incorrect hostname parsing, potentially allowing attackers to redirect users to malicious sites or exploit Server-Side Request Forgery (SSRF) vulnerabilities. Affected versions include all releases before 1.4.3; upgrading to version 1.4.3 or later resolves the issue.

Impact and Attack Scenarios

The impact of CVE-2018-3774 is significant due to the potential for both Open Redirect and SSRF attacks. An attacker could craft a malicious URL that, when processed by an application using the vulnerable url-parse library, redirects users to a phishing site designed to steal credentials. The SSRF aspect allows an attacker to make requests to internal resources that should be inaccessible, potentially exposing sensitive data or allowing unauthorized access to backend systems. This could lead to data breaches, privilege escalation, and even complete system compromise, especially if the application uses the parsed URL to make further requests without proper validation.

Exploitation Context

CVE-2018-3774 was publicly disclosed on August 13, 2018. While no widespread exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential impact make it a prime target. The Open Redirect and SSRF vectors are commonly exploited in real-world attacks. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

1.75% (82% percentile)

CVSS Vector

Affected Software

Componenturl-parse

Vendorosv

Affected rangeFixed in

1.0.01.4.3

Timeline

Published2018-08-13
Modified2026-02-03
EPSS updated2026-04-02

Patched -14 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2018-3774 is to immediately upgrade the url-parse package to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on any URLs parsed by url-parse. This validation should include whitelisting allowed domains and carefully scrutinizing the hostname. Web Application Firewalls (WAFs) can also be configured to detect and block suspicious redirects. Monitor application logs for unusual redirect patterns that might indicate exploitation.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-3774 — Open Redirect in url-parse?

CVE-2018-3774 is a CRITICAL Open Redirect vulnerability in the url-parse package, affecting versions before 1.4.3. Incorrect hostname parsing can lead to SSRF or authentication bypass.

Am I affected by CVE-2018-3774 in url-parse?

Yes, if your project uses url-parse version 1.4.3 or earlier, you are vulnerable. Check your project dependencies using npm list url-parse.

How do I fix CVE-2018-3774 in url-parse?

Upgrade the url-parse package to version 1.4.3 or later using npm install url-parse@latest.

Is CVE-2018-3774 being actively exploited?

While no widespread campaigns are confirmed, the vulnerability's ease of exploitation and potential impact make it a likely target for attackers.

Where can I find the official url-parse advisory for CVE-2018-3774?

Refer to the url-parse project's GitHub repository for updates and advisories: https://github.com/substack/node-url-parse