Platform
nodejs
Component
parse-url
Fixed in
7.0.0
CVE-2022-2216 represents a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the ionicabizau/parse-url Node.js package. This flaw allows attackers to manipulate the package into making requests to unintended destinations, potentially exposing internal resources or performing actions on behalf of the server. Versions of parse-url prior to 7.0.0 are affected, and upgrading to the patched version is essential to mitigate this risk.
The SSRF vulnerability in parse-url allows an attacker to craft malicious URLs that the package will then process and forward to a server. This can lead to several severe consequences. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers (databases, configuration files), or even trigger actions on other systems within the network. The blast radius extends to any service or resource accessible from the server running the vulnerable parse-url package. Given the widespread use of Node.js and the parse-url package in web applications, this vulnerability poses a significant risk to a large number of deployments.
CVE-2022-2216 was publicly disclosed on June 27, 2022. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are readily available, increasing the risk of opportunistic attacks.
Exploit Status
EPSS
0.32% (55% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2216 is to immediately upgrade the parse-url package to version 7.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by validating and sanitizing all URLs passed to the parse-url function. Specifically, restrict the allowed protocols and domains to only those explicitly required by the application. Web Application Firewalls (WAFs) can also be configured to block requests containing suspicious URL patterns. Monitor network traffic for unusual outbound connections originating from your application servers.
Update the `parse-url` dependency to version 7.0.0 or higher. This fixes the SSRF vulnerability. Run `npm install parse-url@latest` or `yarn add parse-url@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2216 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the parse-url Node.js package prior to 7.0.0, allowing attackers to make requests to unintended destinations.
You are affected if your project uses parse-url version 7.0.0 or earlier. Check your package.json file and run npm list parse-url to verify.
Upgrade the parse-url package to version 7.0.0 or later using npm install [email protected].
While no confirmed active exploitation campaigns are publicly known, the CRITICAL severity and availability of PoCs suggest a high likelihood of exploitation.
Refer to the official parse-url repository on GitHub for updates and advisories: https://github.com/ionicabizau/parse-url
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.