Platform
nodejs
Component
parse-url
Fixed in
8.1.0
CVE-2022-2900 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the parse-url Node.js package. This flaw allows attackers to manipulate the package into making requests to unintended internal or external resources, potentially leading to sensitive data exposure or unauthorized access. Versions of parse-url prior to 8.1.0 are affected, and a patch has been released.
The SSRF vulnerability in parse-url allows an attacker to craft malicious URLs that, when processed by the package, result in the server making requests to arbitrary destinations. This can be exploited to access internal services that are not directly exposed to the internet, such as databases, internal APIs, or cloud metadata endpoints. Successful exploitation could lead to the leakage of sensitive information, denial of service, or even remote code execution if the targeted internal service is vulnerable. The impact is particularly severe in environments where the parse-url package is used to process user-supplied input without proper validation, as this provides a direct attack vector.
CVE-2022-2900 was publicly disclosed on September 14, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease of exploitation.
Exploit Status
EPSS
0.43% (63% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2900 is to upgrade the parse-url package to version 8.1.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on URLs processed by the package. Specifically, restrict the allowed URL schemes and domains to prevent requests to unintended destinations. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious URL patterns. Monitor network traffic for unusual outbound requests originating from your application servers.
Update the 'parse-url' dependency to version 8.1.0 or higher. This corrects the SSRF vulnerability. Run 'npm install parse-url@latest' or 'yarn add parse-url@latest' to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2900 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the parse-url Node.js package up to 8.1.0, allowing attackers to make requests to unintended resources.
If your Node.js project uses parse-url version 8.1.0 or earlier, you are potentially affected. Check your dependencies with npm list parse-url.
Upgrade the parse-url package to version 8.1.0 or later using npm install parse-url@latest. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are publicly known, the SSRF nature of the vulnerability makes it a potential target for attackers.
Refer to the parse-url repository on GitHub for updates and advisories: https://github.com/ionicabizau/parse-url
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.