VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 17, 2022· Updated Dec 16, 2025

Authorization Bypass Through User-Controlled Key in unshiftio/url-parse

CVE-2022-0639

Description

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authorization bypass in url-parse prior to 1.5.7 allows user-controlled key to manipulate URL parsing, leading to host confusion.

Vulnerability

The url-parse library prior to version 1.5.7 contains an authorization bypass vulnerability due to incomplete handling of empty userinfo (auth) in URLs. When parsing URLs with an empty userinfo (e.g., http://@/127.0.0.1), the library omitted the @ symbol in the resulting href, causing the path portion to be misinterpreted as a host in certain contexts. This allows an attacker to inject a controlled host via a user-supplied key (URL parameter). [1][2]

Exploitation

An attacker can craft a URL with an empty authentication section and a path that resembles a host (e.g., http://@/attacker.com). When parsed by a vulnerable url-parse version, the @ is dropped, and the path /attacker.com may be treated as the host by downstream authorization checks. No special privileges are required; the attacker only needs to control the input to the url-parse function. [3][4]

Impact

Successful exploitation can lead to authorization bypass, allowing an attacker to confuse the application's understanding of the target host. This could enable server-side request forgery (SSRF), phishing, or other attacks that rely on host identity. The integrity of URL-based access controls is undermined. [1][2]

Mitigation

The fix is available in url-parse version 1.5.7, which re-adds the empty userinfo @ to the href output when the host is empty, preventing misinterpretation. Users should upgrade to version 1.5.7 or later. There are no known workarounds; applying the patch is the recommended mitigation. [3]

References
  1. GitHub - unshiftio/url-parse: Small footprint URL parser that works seamlessly across Node.js and browser environments.
  2. NVD - CVE-2022-0639
  3. [fix] Readd the empty userinfo to `url.href` (#226) · unshiftio/url-parse@ef45a13
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
url-parsenpm
>= 1.0.0, < 1.5.71.5.7

Affected products

2
  • ghsa-coords
    pkg:npm/url-parse
    Range: >= 1.0.0, < 1.5.7
  • unshiftio/unshiftio/url-parsev5
    Range: unspecified

Patches

1
ef45a1355375

[fix] Readd the empty userinfo to `url.href` (#226)

https://github.com/unshiftio/url-parseLuigi PincaFeb 16, 2022via ghsa
commit
2 files changed · +70 0
  • index.js+11 0 modified
    @@ -539,6 +539,17 @@ function toString(stringify) {
   } else if (url.password) {
     result += ':'+ url.password;
     result += '@';
+  } else if (
+    url.protocol !== 'file:' &&
+    isSpecial(url.protocol) &&
+    !url.host &&
+    url.pathname !== '/'
+  ) {
+    //
+    // Add back the empty userinfo, otherwise the original invalid URL
+    // might be transformed into a valid one with `url.pathname` as host.
+    //
+    result += '@';
   }
 
   result += url.host + url.pathname;
  • test/test.js+59 0 modified
    @@ -771,6 +771,65 @@ describe('url-parse', function () {
       assume(parsed.pathname).equals('/');
       assume(parsed.href).equals('http://user%40:pas%3As%40@www.example.com/');
     });
+
+    it('adds @ to href if auth and host are empty', function () {
+      var parsed, i = 0;
+      var urls = [
+        'http:@/127.0.0.1',
+        'http::@/127.0.0.1',
+        'http:/@/127.0.0.1',
+        'http:/:@/127.0.0.1',
+        'http://@/127.0.0.1',
+        'http://:@/127.0.0.1',
+        'http:///@/127.0.0.1',
+        'http:///:@/127.0.0.1'
+      ];
+
+      for (; i < urls.length; i++) {
+        parsed = parse(urls[i]);
+
+        assume(parsed.protocol).equals('http:');
+        assume(parsed.auth).equals('');
+        assume(parsed.username).equals('');
+        assume(parsed.password).equals('');
+        assume(parsed.host).equals('');
+        assume(parsed.hostname).equals('');
+        assume(parsed.pathname).equals('/127.0.0.1');
+        assume(parsed.origin).equals('null');
+        assume(parsed.href).equals('http://@/127.0.0.1');
+        assume(parsed.toString()).equals('http://@/127.0.0.1');
+      }
+
+      urls = [
+        'http:@/',
+        'http:@',
+        'http::@/',
+        'http::@',
+        'http:/@/',
+        'http:/@',
+        'http:/:@/',
+        'http:/:@',
+        'http://@/',
+        'http://@',
+        'http://:@/',
+        'http://:@'
+      ];
+
+      for (i = 0; i < urls.length; i++) {
+        parsed = parse(urls[i]);
+
+        assume(parsed.protocol).equals('http:');
+        assume(parsed.auth).equals('');
+        assume(parsed.username).equals('');
+        assume(parsed.password).equals('');
+        assume(parsed.host).equals('');
+        assume(parsed.hostname).equals('');
+        assume(parsed.pathname).equals('/');
+        assume(parsed.origin).equals('null');
+        assume(parsed.href).equals('http:///');
+        assume(parsed.toString()).equals('http:///');
+      }
+    });
   });
 
   it('accepts multiple ???', function () {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.