url-parse
Corregido en
1.4.3
CVE-2018-3774 is an Open Redirect vulnerability affecting versions of the url-parse package prior to 1.4.3. This flaw stems from incorrect hostname parsing, potentially allowing attackers to redirect users to malicious sites or exploit Server-Side Request Forgery (SSRF) vulnerabilities. Affected versions include all releases before 1.4.3; upgrading to version 1.4.3 or later resolves the issue.
The impact of CVE-2018-3774 is significant due to the potential for both Open Redirect and SSRF attacks. An attacker could craft a malicious URL that, when processed by an application using the vulnerable url-parse library, redirects users to a phishing site designed to steal credentials. The SSRF aspect allows an attacker to make requests to internal resources that should be inaccessible, potentially exposing sensitive data or allowing unauthorized access to backend systems. This could lead to data breaches, privilege escalation, and even complete system compromise, especially if the application uses the parsed URL to make further requests without proper validation.
CVE-2018-3774 was publicly disclosed on August 13, 2018. While no widespread exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential impact make it a prime target. The Open Redirect and SSRF vectors are commonly exploited in real-world attacks. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact.
Node.js applications that rely on the url-parse package for URL parsing are at risk. This includes web applications, APIs, and any other services that process URLs from user input or external sources. Projects using older versions of Node.js or those with complex dependency chains are particularly vulnerable.
• nodejs / server:
npm list url-parseIf the output shows a version less than 1.4.3, the system is vulnerable. • nodejs / server:
npm audit url-parseThis command will identify the vulnerability and suggest an upgrade. • generic web: Inspect application logs for unusual redirect URLs or requests to unexpected internal resources. Look for patterns indicating manipulation of URL parameters.
disclosure
Estado del Exploit
EPSS
1.75% (82% percentil)
Vector CVSS
The primary mitigation for CVE-2018-3774 is to immediately upgrade the url-parse package to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on any URLs parsed by url-parse. This validation should include whitelisting allowed domains and carefully scrutinizing the hostname. Web Application Firewalls (WAFs) can also be configured to detect and block suspicious redirects. Monitor application logs for unusual redirect patterns that might indicate exploitation.
Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2018-3774 is a CRITICAL Open Redirect vulnerability in the url-parse package, affecting versions before 1.4.3. Incorrect hostname parsing can lead to SSRF or authentication bypass.
Yes, if your project uses url-parse version 1.4.3 or earlier, you are vulnerable. Check your project dependencies using npm list url-parse.
Upgrade the url-parse package to version 1.4.3 or later using npm install url-parse@latest.
While no widespread campaigns are confirmed, the vulnerability's ease of exploitation and potential impact make it a likely target for attackers.
Refer to the url-parse project's GitHub repository for updates and advisories: https://github.com/substack/node-url-parse
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.