Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable url-parse version #300

Closed
pumano opened this issue Apr 4, 2022 · 1 comment
Closed

Vulnerable url-parse version #300

pumano opened this issue Apr 4, 2022 · 1 comment
Assignees
@perry-mitchell
Labels
Effort: Low Priority: Critical Status: Completed Type: Maintenance

Comments

@pumano
Copy link

pumano commented Apr 4, 2022

Please update url-parse to latest non vulnerable version.

npm audit provides info:

url-parse <=1.5.8
fixed in 1.5.9
Severity: critical
Authorization bypass in url-parse - GHSA-rqff-837h-mm52
Incorrect returned href via an '@' sign but no user info and hostname - GHSA-8v38-pw62-9cw2
Incorrect hostname / protocol due to unstripped leading control characters. - GHSA-jf5r-8hm2-f872
Authorization Bypass Through User-Controlled Key in url-parse - GHSA-hgjh-723h-mx2j
fix available via npm audit fix
node_modules/url-parse`

% npm ls url-parse
myproject@1.0.0
└─┬ webdav@4.8.0
  └── url-parse@1.5.3
@perry-mitchell perry-mitchell self-assigned this Apr 6, 2022
@perry-mitchell
Copy link
Owner

Released in 4.9.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@perry-mitchell perry-mitchell

Labels
Effort: Low Priority: Critical Status: Completed Type: Maintenance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@perry-mitchell @pumano