Authorization Bypass Through User-Controlled Key in unshiftio/url-parse
Description
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
url-parse prior to 1.5.9 allows authorization bypass via user-controlled key due to improper stripping of leading control characters.
Vulnerability
The vulnerability resides in the url-parse npm package, affecting all versions from 0.1.0 to before 1.5.9 [3]. The library uses a regular expression (whitespace) to strip leading whitespace from URLs, but this regex only removes a limited set of whitespace characters (e.g., space, tab, newline). However, many other Unicode control characters (e.g., null byte, carriage return, and various Unicode space characters in the range \x00-\x20 and beyond) are not stripped [4]. An attacker can prepend these control characters to the URL string, and the parser incorrectly interprets the hostname and protocol, leading to an authorization bypass through user-controlled key [2].
Exploitation
The attacker does not need any special network position or authentication; the vulnerability is triggered when a user-controlled URL string is parsed by the vulnerable url-parse method. The attacker can craft a URL with leading control characters (e.g., null bytes or other whitespace-like characters) that are not removed by the trimLeft function. When passed to the constructor, the parser misparses the URL, potentially treating the hostname or protocol differently than expected. The exploitation requires no user interaction beyond the application processing the attacker-supplied URL [1][4].
Impact
Successful exploitation allows an attacker to bypass authorization checks. Since the parser incorrectly identifies the hostname or protocol, the attacker can craft URLs that appear to reference a trusted origin but actually point to a malicious one, leading to potential information disclosure, phishing, or server-side request forgery (SSRF) depending on how the parsed URL is used by the application. The impact is scope-dependent, but can result in the attacker controlling a key value used for authorization decisions [2].
Mitigation
A fix was implemented in commit 0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63, which updates the whitespace regex to include all control characters in the range \x00-\x20 [4]. The vulnerability is fully resolved in version 1.5.9 of the url-parse package. Users should upgrade to version 1.5.9 or later. No workarounds are known for versions prior to 1.5.9 other than upgrading. Versions 0.0.0-0.0.4 are not affected [3]. The CVE is not listed on KEV as of the publication date.
- GitHub - unshiftio/url-parse: Small footprint URL parser that works seamlessly across Node.js and browser environments.
- NVD - CVE-2022-0691
- [GHSA-jf5r-8hm2-f872] url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. by ljharb · Pull Request #6765 · github/advisory-database
- [fix] Strip all control characters from the beginning of the URL · unshiftio/url-parse@0e3fb54
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
url-parsenpm | >= 0.1.0, < 1.5.9 | 1.5.9 |
Affected products
2- unshiftio/unshiftio/url-parsev5Range: unspecified
Patches
10e3fb542d60d[fix] Strip all control characters from the beginning of the URL
2 files changed · +9 −3
index.js+1 −1 modified@@ -6,7 +6,7 @@ var required = require('requires-port') , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\// , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i , windowsDriveLetter = /^[a-zA-Z]:/ - , whitespace = /^[ \f\n\r\t\v\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/; + , whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/; /** * Trim a given string.
test/test.js+8 −2 modified@@ -47,8 +47,14 @@ describe('url-parse', function () { assume(parse.trimLeft).is.a('function'); }); - it('removes whitespace on the left', function () { - assume(parse.trimLeft(' lol')).equals('lol'); + it('removes control characters on the left', function () { + var i = 0; + var prefix = '' + + for (; i < 33; i++) { + prefix = String.fromCharCode(i); + assume(parse.trimLeft(prefix + prefix +'lol')).equals('lol'); + } }); it('calls toString on a given value', function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-jf5r-8hm2-f872ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0691ghsaADVISORY
- github.com/github/advisory-database/pull/6765ghsaWEB
- github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63ghsaWEB
- huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4ghsaWEB
- lists.debian.org/debian-lts-announce/2023/02/msg00030.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220325-0006ghsaWEB
- security.netapp.com/advisory/ntap-20220325-0006/mitre
News mentions
0No linked articles in our index yet.