Skip to content

[GHSA-rqff-837h-mm52] Authorization bypass in url-parse #6723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ljharb wants to merge 1 commit into
base: ljharb/advisory-improvement-6723
Choose a base branch
from
Open

[GHSA-rqff-837h-mm52] Authorization bypass in url-parse #6723

ljharb wants to merge 1 commit into from
+2 −2

Conversation

@ljharb
Copy link

@ljharb ljharb commented Jan 26, 2026

Updates

  • Affected products

Comments
0.0.x versions (0.0.0 - 0.0.4) are NOT vulnerable because they use Node's built-in url.parse() instead of custom parsing logic:

  // In 0.0.x, the Node.js code path is simply:
  var parse = require('url').parse;

Node's url.parse() correctly handles multiple @ signs by treating the last @ as the auth/host separator:

  // 0.0.4 test:
  const parse = require('url').parse;
  parse('http://user@attacker.com@example.com/');
  // => hostname: 'example.com', auth: 'user@attacker.com'  ✓ CORRECT

In contrast, versions 0.1.0+ use custom regex/rule-based parsing that finds the first @:

  • 0.1.x - 0.2.x: Uses "MOARE" (Mother Of All Regular Expressions) that captures at first @
  • 1.0.0+: Uses rule-based parsing with address.indexOf('@') which finds first @

Both approaches incorrectly give hostname: 'attacker.com@example.com' instead of example.com.

Copilot AI review requested due to automatic review settings January 26, 2026 17:37
@github-actions github-actions bot changed the base branch from main to ljharb/advisory-improvement-6723 January 26, 2026 17:38
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the security advisory GHSA-rqff-837h-mm52 for the url-parse npm package to correct the affected version range, excluding versions 0.0.0-0.0.4 which are not vulnerable to the CVE-2022-0512 authorization bypass vulnerability.

Changes:

  • Updated the modified timestamp to reflect the advisory update date
  • Changed the introduced version from "0" to "0.1.0" to exclude 0.0.x versions that use Node's built-in url.parse()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@helixplant
Copy link

helixplant commented Jan 28, 2026

Hi @ljharb,
We are currently looking into this and should have an answer for you soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

Keep

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ljharb @helixplant @Claude @Codex