CVE-2020-8124: Improper Validation and Sanitization in url-parse

January 6, 2022 (updated February 3, 2026)

Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

References

github.com/advisories/GHSA-46c4-8wrp-j99v
github.com/github/advisory-database/pull/6762
github.com/unshiftio/url-parse
github.com/unshiftio/url-parse/commit/3ecd256f127c3ada36a84d9b8dd3ebd14316274b
hackerone.com/reports/496293
nvd.nist.gov/vuln/detail/CVE-2020-8124

Code Behaviors & Features

Detect and mitigate CVE-2020-8124 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →