Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Description
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
url-parse prior to 1.5.8 allows authorization bypass via a crafted URL with an empty port, due to improper parsing of the port component.
Vulnerability
The url-parse npm package before version 1.5.8 contains an authorization bypass vulnerability through user-controlled key. The issue lies in the URL parsing logic where the port component is extracted using a regular expression `/:$/ that requires one or more digits. When a URL contains a trailing colon with no port number (e.g., http://example.com:`), the regex fails to match, leading to incorrect parsing of the host and path. This can cause the parsed URL to differ from the intended URL, potentially bypassing authorization checks that rely on the parsed hostname or path. Affected versions are all prior to 1.5.8. [1][2][3]
Exploitation
An attacker can exploit this by providing a crafted URL that includes a trailing colon after the hostname but no port number. For example, http://example.com: would be parsed incorrectly. The attacker does not need authentication; they only need to supply the malicious URL to an application that uses url-parse to validate or authorize access based on the parsed URL components. The exploitation does not require user interaction beyond the application processing the URL. [3]
Impact
Successful exploitation allows an attacker to bypass authorization mechanisms that depend on the parsed URL. For instance, if an application checks the hostname or path to decide whether to allow access, the misparsed URL could cause the check to be applied to a different host or path, potentially granting unauthorized access to resources. The impact is primarily integrity and confidentiality bypass, as the attacker may gain access to protected functionality or data. [2][4]
Mitigation
The vulnerability is fixed in version 1.5.8 of url-parse. Users should upgrade to this version or later. The fix changes the regex to `/:$/` to accept zero or more digits and adds logic to preserve a trailing colon in the host string, preventing the transformation of an invalid URL into a valid one. No workarounds are available for earlier versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
url-parsenpm | < 1.5.8 | 1.5.8 |
Affected products
2- unshiftio/unshiftio/url-parsev5Range: unspecified
Patches
1d5c64791ef49[fix] Handle the case where the port is specified but empty
2 files changed · +32 −3
index.js+10 −3 modified@@ -39,7 +39,7 @@ var rules = [ ['/', 'pathname'], // Extract from the back. ['@', 'auth', 1], // Extract from the front. [NaN, 'host', undefined, 1, 1], // Set left over value. - [/:(\d+)$/, 'port', undefined, 1], // RegExp the back. + [/:(\d*)$/, 'port', undefined, 1], // RegExp the back. [NaN, 'hostname', undefined, 1, 1] // Set left over. ]; @@ -524,6 +524,7 @@ function toString(stringify) { var query , url = this + , host = url.host , protocol = url.protocol; if (protocol && protocol.charAt(protocol.length - 1) !== ':') protocol += ':'; @@ -542,7 +543,7 @@ function toString(stringify) { } else if ( url.protocol !== 'file:' && isSpecial(url.protocol) && - !url.host && + !host && url.pathname !== '/' ) { // @@ -552,7 +553,13 @@ function toString(stringify) { result += '@'; } - result += url.host + url.pathname; + // + // Trailing colon is removed from `url.host` when it is parsed. If it still + // ends with a colon, then add back the trailing colon that was removed. This + // prevents an invalid URL from being transformed into a valid one. + // + if (host[host.length - 1] === ':') host += ':'; + result += host + url.pathname; query = 'object' === typeof url.query ? stringify(url.query) : url.query; if (query) result += '?' !== query.charAt(0) ? '?'+ query : query;
test/test.js+22 −0 modified@@ -442,6 +442,28 @@ describe('url-parse', function () { assume(parsed.href).equals('sip:alice@atlanta.com'); }); + it('handles the case where the port is specified but empty', function () { + var parsed = parse('http://example.com:'); + + assume(parsed.protocol).equals('http:'); + assume(parsed.port).equals(''); + assume(parsed.host).equals('example.com'); + assume(parsed.hostname).equals('example.com'); + assume(parsed.pathname).equals('/'); + assume(parsed.origin).equals('http://example.com'); + assume(parsed.href).equals('http://example.com/'); + + parsed = parse('http://example.com::'); + + assume(parsed.protocol).equals('http:'); + assume(parsed.port).equals(''); + assume(parsed.host).equals('example.com:'); + assume(parsed.hostname).equals('example.com:'); + assume(parsed.pathname).equals('/'); + assume(parsed.origin).equals('http://example.com:'); + assume(parsed.href).equals('http://example.com::/'); + }); + describe('origin', function () { it('generates an origin property', function () { var url = 'http://google.com:80/pathname'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hgjh-723h-mx2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0686ghsaADVISORY
- github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5ghsaWEB
- huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78cghsaWEB
- lists.debian.org/debian-lts-announce/2023/02/msg00030.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220325-0006ghsaWEB
- security.netapp.com/advisory/ntap-20220325-0006/mitre
News mentions
0No linked articles in our index yet.