Security Vulnerability Report
I've identified a hostname parsing differential in url-parse that enables SSRF and allowlist bypass.
Summary
url-parse does not normalize Unicode confusable characters (U+3002, U+FF0E, U+FF61) in hostnames, while browsers and Node.js native URL do. This creates parser differentials exploitable for SSRF bypass.
PoC
const Url = require('url-parse');
console.log(new Url('http://evil\u3002com/').hostname); // evil。com
console.log(new URL('http://evil\u3002com/').hostname); // evil.comImpact
Applications using url-parse for URL validation are vulnerable to SSRF and open redirect bypasses via Unicode confusable characters in hostnames.
Advisory
I've published a detailed advisory here: GHSA-9pv6-g64m-xhrq
GitHub cannot assign a CVE from a fork. Could you please create a security advisory on this repository so a CVE can be assigned? I'm happy to help with the process.
Affected Versions
All versions <= 1.5.10
Suggested Fix
Apply IDNA/Unicode normalization to hostnames before parsing, consistent with the WHATWG URL Standard.
Security Vulnerability Report
I've identified a hostname parsing differential in url-parse that enables SSRF and allowlist bypass.
Summary
url-parse does not normalize Unicode confusable characters (U+3002, U+FF0E, U+FF61) in hostnames, while browsers and Node.js native
URLdo. This creates parser differentials exploitable for SSRF bypass.PoC
Impact
Applications using url-parse for URL validation are vulnerable to SSRF and open redirect bypasses via Unicode confusable characters in hostnames.
Advisory
I've published a detailed advisory here: GHSA-9pv6-g64m-xhrq
GitHub cannot assign a CVE from a fork. Could you please create a security advisory on this repository so a CVE can be assigned? I'm happy to help with the process.
Affected Versions
All versions <= 1.5.10
Suggested Fix
Apply IDNA/Unicode normalization to hostnames before parsing, consistent with the WHATWG URL Standard.