A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.
Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"
Expected behaviour (as returned by NPM urijs):
{
"scheme": "http",
"user": "",
"password": "",
"host": "google.com",
"port": "",
"path": "@yahoo.com/",
"query": "",
"fragment": "what\\is going on"
}
Actual behaviour:
{
"scheme": "http",
"user": "google.com",
"password": "80\\",
"host": "yahoo.com",
"port": "",
"path": "/",
"query": "",
"fragment": "what\\is going on"
}
Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291
|