High severityNVD Advisory· Published Feb 21, 2021· Updated Aug 3, 2024

CVE-2021-27516

Description

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

URI.js before 1.19.6 misinterprets backslashes in URIs like http:\/ as relative paths, enabling hostname spoofing and bypassing security checks.

Vulnerability

Overview

CVE-2021-27516 affects URI.js (urijs) versions before 1.19.6. The library mishandles backslash characters (\) within URI scheme delimiters. Specifically, when a URI contains a backslash in place of a forward slash after the scheme (e.g., http:\/), the parser treats the entire URI as a relative path instead of an absolute one. This contradicts the expected behavior defined in RFC 3986, where backslash has no special meaning and should be treated as a literal character within the path component [1][2].

Exploitation

An attacker can craft a URI such as https:/\attacker.com or similar variations using backslashes. Because URI.js improperly interprets this as a relative path, the hostname is incorrectly parsed as attacker.com rather than being treated as part of the path or rejected. No authentication or special network access is required—the vulnerability lies entirely in client-side URL parsing logic. Applications relying on URI.js for URL validation, sanitization, or security decisions (e.g., for whitelisting or redirects) would therefore misidentify the target host [3][4].

Impact

Successful exploitation allows an attacker to perform hostname spoofing. For example, a malicious URI https:/\evil.com would be interpreted as pointing to evil.com instead of a path under the original host. This can lead to phishing, open redirect exploits, Server-Side Request Forgery (SSRF) bypasses, or other attacks that depend on accurate host extraction. The impact is particularly severe in security-critical contexts like URL validation libraries or reverse proxy configurations [1][3].

Mitigation

The issue was patched in URI.js version 1.19.6, released February 13, 2021. The fix treats backslashes as equivalent to forward slashes when determining the scheme delimiter, ensuring proper absolute URI parsing [3][4]. Users should update to version 1.19.6 or later. No workarounds are documented; updating the dependency is the recommended course of action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
urijsnpm	< 1.19.6	1.19.6

Affected products

URI.js/URI.jsdescription
ghsa-coords
pkg:npm/urijs
Range: < 1.19.6

Patches

a1ad8bcbc39a

fix(parse): treat backslash as forwardslash in scheme delimiter

https://github.com/medialize/URI.jsRodney RehmFeb 13, 2021via ghsa

commit

2 files changed · +50 −1

src/URI.js+1 −1 modified

@@ -526,7 +526,7 @@
         if (parts.protocol && !parts.protocol.match(URI.protocol_expression)) {
           // : may be within the path
           parts.protocol = undefined;
-        } else if (string.substring(pos + 1, pos + 3) === '//') {
+        } else if (string.substring(pos + 1, pos + 3).replace(/\\/g, '/') === '//') {
           string = string.substring(pos + 3);
 
           // extract "user:pass@host:port"

test/urls.js+49 −0 modified

@@ -2082,6 +2082,55 @@ var urls = [{
         idn: false,
         punycode: false
       }
+    }, {
+      name: 'backslashes protocol',
+      url: 'https:/\\attacker.com',
+      _url: 'https://attacker.com/',
+      parts: {
+        protocol: 'https',
+        username: null,
+        password: null,
+        hostname: 'attacker.com',
+        port: null,
+        path: '/',
+        query: null,
+        fragment: null
+      },
+      accessors: {
+        protocol: 'https',
+        username: '',
+        password: '',
+        port: '',
+        path: '/',
+        query: '',
+        fragment: '',
+        resource: '/',
+        authority: 'attacker.com',
+        origin: 'https://attacker.com',
+        userinfo: '',
+        subdomain: '',
+        domain: 'attacker.com',
+        tld: 'com',
+        directory: '/',
+        filename: '',
+        suffix: '',
+        hash: '',
+        search: '',
+        host: 'attacker.com',
+        hostname: 'attacker.com'
+      },
+      is: {
+        urn: false,
+        url: true,
+        relative: false,
+        name: true,
+        sld: false,
+        ip: false,
+        ip4: false,
+        ip6: false,
+        idn: false,
+        punycode: false
+      }
     }
 ];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p6j9-7xhc-rhwpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-27516ghsaADVISORY
advisory.checkmarx.net/advisory/CX-2021-4305ghsax_refsource_MISCWEB
github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839ghsax_refsource_MISCWEB
github.com/medialize/URI.js/releases/tag/v1.19.6ghsax_refsource_MISCWEB
github.com/medialize/URI.js/security/advisories/GHSA-p6j9-7xhc-rhwpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000