Authorization Bypass Through User-Controlled Key in medialize/uri.js
Description
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
URIs prior to 1.19.8 allow an attacker to bypass hostname validation via case-insensitive schemes with excessive slashes, enabling URL parsing inconsistency.
Vulnerability
URIs (npm package urijs) prior to version 1.19.8 contain an authorization bypass vulnerability through user-controlled key [1][2]. The bug resides in the URL parsing function where the regular expression for matching scheme prefixes (e.g., https://) was not case-insensitive [3]. Under certain conditions, a crafted URL like hTTps://////attacker.com would be parsed incorrectly, treating the slash-heavy authority as part of the path or host, leading to inconsistent parsing results [3]. The fix addresses the issue by adding the i flag to the regex, making scheme matching case-insensitive and properly handling excessive slashes [3].
Exploitation
An attacker can craft a URL with a case-varied scheme (e.g., hTTps, HTTP) followed by multiple slashes and a malicious hostname. No special network position or authentication is required if the application uses urijs to parse and validate URL hostnames before making requests. The attacker supplies the crafted URL as user input (e.g., via a query parameter or API endpoint) that the application processes with urijs prior to 1.19.8. The parsing discrepancy causes the library to interpret the hostname differently than the actual target, potentially allowing the attacker to bypass host-based access controls or redirect the application to a different server.
Impact
Successful exploitation allows an attacker to bypass hostname validation or authorization checks, leading to information disclosure or server-side request forgery (SSRF) [1][2]. The attacker may gain the ability to make the application connect to an attacker-controlled host, potentially exposing sensitive data or performing actions under the application's privileges.
Mitigation
The vulnerability is fixed in urijs version 1.19.8, released on or around February 16, 2022 [1][2]. Users should upgrade to version 1.19.8 or later. No public workarounds have been identified for versions prior to the fix. The Fedora security team also issued package updates via the Fedora announcement list [4]. There is no indication this CVE is listed in the KEV catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
urijsnpm | < 1.19.8 | 1.19.8 |
Affected products
2- medialize/medialize/uri.jsv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-gcv8-gh4r-25x6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-0613ghsaADVISORY
- github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249fghsax_refsource_MISCWEB
- huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332ghsaWEB
News mentions
0No linked articles in our index yet.