Platform
nodejs
Component
parse-url
Fixed in
7.0.0
CVE-2022-2218 is a stored Cross-Site Scripting (XSS) vulnerability affecting the parse-url Node.js package versions up to and including 7.0.0. This vulnerability allows attackers to inject malicious scripts into the application through specially crafted URLs. Successful exploitation can lead to session hijacking, data theft, and other malicious activities. A fix is available in version 7.0.0.
The parse-url package is commonly used in Node.js applications to parse URLs. This XSS vulnerability arises because the package doesn't properly sanitize URL components before rendering them. An attacker can craft a malicious URL containing JavaScript code, which, when processed by the application, will be executed in the user's browser. This can lead to the attacker stealing session cookies, redirecting users to phishing sites, or defacing the application. The impact is particularly severe in applications that heavily rely on user-supplied URLs or integrate with external services that pass URLs to the application.
This vulnerability was publicly disclosed on June 27, 2022. While no active exploitation campaigns have been definitively linked to CVE-2022-2218, the CRITICAL severity and ease of exploitation make it a high-priority target. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.32% (55% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2218 is to upgrade the parse-url package to version 7.0.0 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the application side to sanitize user-supplied URLs before they are processed. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review application code for any instances where URL components are directly rendered without proper sanitization.
Actualice la dependencia `parse-url` a la versión 7.0.0 o superior. Esto solucionará la vulnerabilidad XSS almacenada. Ejecute `npm install parse-url@latest` o `yarn add parse-url@latest` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2218 is a stored Cross-Site Scripting (XSS) vulnerability in the ionicabizau/parse-url package versions up to 7.0.0, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if your Node.js application uses parse-url version 7.0.0 or earlier. Check your project dependencies using npm list parse-url.
Upgrade the parse-url package to version 7.0.0 or later using npm install [email protected].
While no confirmed active exploitation campaigns are known, the CRITICAL severity and ease of exploitation make it a high-priority target. Monitor for emerging proof-of-concept code.
Refer to the GitHub repository ionicabizau/parse-url for updates and advisories: https://github.com/ionicabizau/parse-url
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.