CVE-2022-24723

Description

The URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue are leading white space bypasses protocol validation. Also Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request. This issue has been patched in version 1.19.9.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
   var p = URI.prototype;
   var hasOwn = Object.prototype.hasOwnProperty;
 @@ -239,6 +239,7 @@
     // balanced parens inclusion (), [], {}, <>
     parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
   };
+  URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
   // http://www.iana.org/assignments/uri-schemes.html
   // http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
   URI.defaultPorts = {
 @@ -494,6 +495,9 @@
         preventInvalidHostname: URI.preventInvalidHostname
       };
     }
+
+    string = string.replace(URI.leading_whitespace_expression, '')
+
     // [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]

     // extract fragment

This issue was fixed as above

Proof of Concept

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sh-3.2$ node -e "URI = require('urijs'); console.log(new URI('\bhttps://google.com'))"
URI {
  _string: '',
  _parts: {
    protocol: undefined,
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '\bhttps://google.com',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  },
  _deferred_build: true
}
sh-3.2$

Reporting Timeline

  • 2022-02-27 11h 50m : Reported this issue via the huntr
  • 2022-03-03 19h 21m : Validated this issue by Rodney Rehm
  • 2022-03-03 19h 22m : Patched this issue by Rodney Rehm
  • 2022-03-03 19h 22m : Released 1.19.9 version by Rodney Rehm
  • 2022-03-03 21h 49m : Requested a CVE by Rodney Rehm
  • 2022-03-04 12h 44m : Assigned CVE-2022-24723 by github-staff

Reference