CVE-2020-8124
Description
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient input sanitization in url-parse npm package allows attackers to bypass security checks by injecting leading whitespace, enabling hostname confusion attacks.
Vulnerability
Details
The url-parse npm package versions 1.4.4 and earlier (but starting from 0.1.0) contain insufficient validation and sanitization of user input [2]. The root cause is that the library did not trim leading whitespace characters before parsing a URL. This allowed an attacker to prepend whitespace (including non-standard Unicode whitespace) to a URL, which could bypass security checks that rely on the parsed hostname or protocol.
Exploitation
An attacker can provide a malicious URL containing leading whitespace to an application that uses url-parse for security decisions (e.g., hostname allowlisting). The parsing algorithm, upon seeing whitespace before the protocol, may misinterpret the hostname, potentially resolving to a different host than intended. No authentication is needed if the attacker can control the URL input. The attack vector is remote.
Impact
Successful exploitation could allow an attacker to bypass hostname validation, leading to access to arbitrary hosts or resources, potentially enabling SSRF or other attacks that rely on URL parsing.
Mitigation
The fix was implemented in commit [4] by introducing a trimLeft function that removes leading whitespace before parsing. Users should upgrade to url-parse version 1.4.5 or later. Versions prior to 0.1.0 (0.0.x) are unaffected as they used a different parsing architecture that delegated to built-in URL parsing [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
url-parsenpm | >= 0.1.0, < 1.4.5 | 1.4.5 |
Affected products
2- url-parse/url-parsedescription
Patches
13ecd256f127c[security] Trim left to prevent unsantitized input from generating false positives
3 files changed · +43 −1
index.js+17 −1 modified@@ -2,8 +2,20 @@ var required = require('requires-port') , qs = require('querystringify') + , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\// , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i - , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//; + , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]' + , left = new RegExp('^'+ whitespace +'+'); + +/** + * Trim a given string. + * + * @param {String} str String to trim. + * @public + */ +function trimLeft(str) { + return (str || '').replace(left, ''); +} /** * These are the parse rules for the URL parser, it informs the parser @@ -102,6 +114,7 @@ function lolcation(loc) { * @private */ function extractProtocol(address) { + address = trimLeft(address); var match = protocolre.exec(address); return { @@ -162,6 +175,8 @@ function resolve(relative, base) { * @private */ function Url(address, location, parser) { + address = trimLeft(address); + if (!(this instanceof Url)) { return new Url(address, location, parser); } @@ -429,6 +444,7 @@ Url.prototype = { set: set, toString: toString }; // Url.extractProtocol = extractProtocol; Url.location = lolcation; +Url.trimLeft = trimLeft; Url.qs = qs; module.exports = Url;
SECURITY.md+10 −0 modified@@ -33,6 +33,16 @@ acknowledge your responsible disclosure, if you wish. ## History +> The `extractProtocol` method does not return the correct protocol when +> provided with unsanitized content which could lead to false positives. + +- **Reporter credits** + - Reported through our security email & Twitter interaction. + - Twitter: [@ronperris](https://twitter.com/ronperris) + - Fixed in: 1.4.5 + +--- + > url-parse returns wrong hostname which leads to multiple vulnerabilities such > as SSRF, Open Redirect, Bypass Authentication Protocol.
test/test.js+16 −0 modified@@ -44,6 +44,14 @@ describe('url-parse', function () { describe('extractProtocol', function () { it('extracts the protocol data', function () { + assume(parse.extractProtocol('http://example.com')).eql({ + slashes: true, + protocol: 'http:', + rest: 'example.com' + }); + }); + + it('extracts the protocol data for nothing', function () { assume(parse.extractProtocol('')).eql({ slashes: false, protocol: '', @@ -60,6 +68,14 @@ describe('url-parse', function () { rest: input }); }); + + it('trimsLeft', function () { + assume(parse.extractProtocol(' javascript://foo')).eql({ + slashes: true, + protocol: 'javascript:', + rest: 'foo' + }); + }); }); it('parses the query string into an object', function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-46c4-8wrp-j99vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8124ghsaADVISORY
- github.com/github/advisory-database/pull/6762ghsaWEB
- github.com/unshiftio/url-parse/commit/3ecd256f127c3ada36a84d9b8dd3ebd14316274bghsaWEB
- hackerone.com/reports/496293ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.