CVE-2022-0624: Authorization Bypass Through User-Controlled Key

June 28, 2022 (updated July 7, 2022)

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0. parse-path is unable to detect the right resource. While parsing http://127.0.0.1#@example.com url, parse-path thinks that the host/resource is example.com, however the actual resource is 127.0.0.1.

References

github.com/advisories/GHSA-3j8f-xvm3-ffx4
github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42840e8
huntr.dev/bounties/afffb2bd-fb06-4144-829e-ecbbcbc85388
nvd.nist.gov/vuln/detail/CVE-2022-0624

Code Behaviors & Features

Detect and mitigate CVE-2022-0624 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →