VYPR
← All advisories
High severityNVD Advisory· Published Jun 27, 2022· Updated Aug 2, 2024

Exposure of Sensitive Information to an Unauthorized Actor in ionicabizau/parse-url

CVE-2022-0722

Description

parse-url before 7.0.0 leaks sensitive authentication data in parsed URL objects, allowing unauthorized actors to access credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

parse-url before 7.0.0 leaks sensitive authentication data in parsed URL objects, allowing unauthorized actors to access credentials.

Background

The parse-url library for Node.js, prior to version 7.0.0, contains an information exposure vulnerability (CVE-2022-0722). The flaw stems from improper handling of URL components during parsing, potentially leaking sensitive authentication details such as usernames and passwords embedded in URLs. The codebase, when normalizing URLs, fails to sufficiently sanitize or restrict the output, inadvertently exposing credential information in the resulting parsed object [1][2].

Attack

Vector

An attacker does not need direct authentication to the vulnerable application; instead, the risk manifests when an application uses parse-url to process user-supplied URLs or URLs from untrusted sources. If a URL containing credentials (e.g., http://user:pass@host) is parsed, the user field in the returned object retains those credentials. A downstream component that logs, displays, or transmits these parsed results can leak the credentials to unauthorized parties. No special network position is required beyond the ability to supply a crafted URL to the parsing function [2][3].

Impact

Successful exploitation allows an unauthorized actor to obtain sensitive authentication information (usernames and passwords) from parsed URLs. This can lead to account takeover, unauthorized access to protected resources, or lateral movement within an infrastructure if the credentials are reused. The severity is elevated because URLs with embedded credentials are common in enterprise tools, CI/CD pipelines, and internal systems [1][3].

Mitigation

The vulnerability is fixed in parse-url version 7.0.0 and later, released via commit 21c72ab. Users should upgrade immediately. No workaround is provided; the library must be updated to the patched version. The fix refactors the parsing logic and upgrades dependencies to properly sanitize authentication fields [2][3].

References
  1. NVD - CVE-2022-0722
  2. Refactor codebase, upgrade dependencies · IonicaBizau/parse-url@21c72ab
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
parse-urlnpm
< 6.0.16.0.1

Affected products

3

Patches

1
21c72ab94122

Refactor codebase, upgrade dependencies

https://github.com/ionicabizau/parse-urlIonică BizăuJun 27, 2022via ghsa
commit
3 files changed · +54 26
  • lib/index.js+33 12 modified
    @@ -1,8 +1,10 @@
 "use strict"
 
+// Dependencies
 const parsePath = require("parse-path")
     , normalizeUrl = require("normalize-url")
 
+
 /**
  * parseUrl
  * Parses the input url.
@@ -12,7 +14,7 @@ const parsePath = require("parse-path")
  * @name parseUrl
  * @function
  * @param {String} url The input url.
- * @param {Boolean|Object} normalize Wheter to normalize the url or not.
+ * @param {Boolean|Object} normalize Whether to normalize the url or not.
  *                         Default is `false`. If `true`, the url will
  *                         be normalized. If an object, it will be the
  *                         options object sent to [`normalize-url`](https://github.com/sindresorhus/normalize-url).
@@ -21,21 +23,26 @@ const parsePath = require("parse-path")
  *
  * @return {Object} An object containing the following fields:
  *
- *  - `protocols` (Array): An array with the url protocols (usually it has one element).
- *  - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`.
- *  - `port` (null|Number): The domain port.
- *  - `resource` (String): The url domain (including subdomains).
- *  - `user` (String): The authentication user (usually for ssh urls).
- *  - `pathname` (String): The url pathname.
- *  - `hash` (String): The url hash.
- *  - `search` (String): The url querystring value.
- *  - `href` (String): The input url.
- *  - `query` (Object): The url querystring, parsed as object.
+ *    - `protocols` (Array): An array with the url protocols (usually it has one element).
+ *    - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`.
+ *    - `port` (null|Number): The domain port.
+ *    - `resource` (String): The url domain (including subdomains).
+ *    - `user` (String): The authentication user (usually for ssh urls).
+ *    - `pathname` (String): The url pathname.
+ *    - `hash` (String): The url hash.
+ *    - `search` (String): The url querystring value.
+ *    - `href` (String): The input url.
+ *    - `query` (Object): The url querystring, parsed as object.
  */
-function parseUrl(url, normalize = false) {
+const parseUrl = (url, normalize = false) => {
+
+    // Constants
+    const GIT_RE = /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/
+
     if (typeof url !== "string" || !url.trim()) {
         throw new Error("Invalid url.")
     }
+
     if (normalize) {
         if (typeof normalize !== "object") {
             normalize = {
@@ -44,7 +51,21 @@ function parseUrl(url, normalize = false) {
         }
         url = normalizeUrl(url, normalize)
     }
+
     const parsed = parsePath(url)
+
+    // Potential git-ssh urls
+    if (parsed.protocol === "file") {
+        const matched  = parsed.href.match(GIT_RE)
+        if (matched) {
+            parsed.protocols = ["ssh"]
+            parsed.protocol = "ssh"
+            parsed.resource = matched[4]
+            parsed.user = "git"
+            parsed.pathname = `/${matched[6]}`
+        }
+    }
+
     return parsed;
 }
  • package.json+4 4 modified
    @@ -31,10 +31,10 @@
     "tester": "^1.3.1"
   },
   "dependencies": {
-    "is-ssh": "^1.3.0",
+    "is-ssh": "^1.4.0",
     "normalize-url": "^6.1.0",
-    "parse-path": "^4.0.4",
-    "protocols": "^1.4.0"
+    "parse-path": "^5.0.0",
+    "protocols": "^2.0.1"
   },
   "files": [
     "bin/",
@@ -56,4 +56,4 @@
       "For low-level path parsing, check out [`parse-path`](https://github.com/IonicaBizau/parse-path). This very module is designed to parse urls. By default the urls are normalized."
     ]
   }
-}
\ No newline at end of file
+}
  • test/index.js+17 10 modified
    @@ -2,7 +2,6 @@
 const parseUrl = require("../lib")
     , tester = require("tester")
     , normalizeUrl = require("normalize-url")
-    , qs = require("querystring")
     ;
 
 const INPUTS = [
@@ -11,77 +10,83 @@ const INPUTS = [
       , {
             protocols: [ "http" ]
           , protocol: "http"
-          , port: null
+          , port: ""
           , resource: "ionicabizau.net"
           , user: ""
           , pathname: "/blog"
           , hash: ""
           , search: ""
+          , query: {}
         }
     ]
   , [
         "//ionicabizau.net/foo.js"
       , {
             protocols: ["http"]
           , protocol: "http"
-          , port: null
+          , port: ""
           , resource: "ionicabizau.net"
           , user: ""
           , pathname: "/foo.js"
           , hash: ""
           , search: ""
+          , query: {}
         }
     ]
   , [
         "http://domain.com/path/name#some-hash?foo=bar"
       , {
             protocols: ["http"]
           , protocol: "http"
-          , port: null
+          , port: ""
           , resource: "domain.com"
           , user: ""
           , pathname: "/path/name"
           , hash: "some-hash?foo=bar"
           , search: ""
+          , query: {}
         }
     ]
   , [
         ["git+ssh://git@host.xz/path/name.git", false]
       , {
             protocols: ["git", "ssh"]
           , protocol: "git"
-          , port: null
+          , port: ""
           , resource: "host.xz"
           , user: "git"
           , pathname: "/path/name.git"
           , hash: ""
           , search: ""
+          , query: {}
         }
     ]
   , [
         ["git@github.com:IonicaBizau/git-stats.git", false]
       , {
-            protocols: []
+            protocols: ["ssh"]
           , protocol: "ssh"
-          , port: null
+          , port: ""
           , resource: "github.com"
           , user: "git"
           , pathname: "/IonicaBizau/git-stats.git"
           , hash: ""
           , search: ""
+          , query: {}
         }
     ]
   , [
         ["http://ionicabizau.net/with-true-normalize", true]
       , {
             protocols: [ "http" ]
           , protocol: "http"
-          , port: null
+          , port: ""
           , resource: "ionicabizau.net"
           , user: ""
           , pathname: "/with-true-normalize"
           , hash: ""
           , search: ""
+          , query: {}
         }
     ]
 ];
@@ -91,13 +96,15 @@ tester.describe("check urls", test => {
         let url = Array.isArray(c[0]) ? c[0][0] : c[0]
         test.should("support " + url, () => {
             const res = parseUrl(url, c[0][1] !== false);
+
             if (c[0][1] !== false) {
                 url = normalizeUrl(url, {
                     stripHash: false
                 })
             }
-            c[1].query = qs.parse(c[1].search)
-            c[1].href = url
+
+            c[1].href = c[1].href || url
+            c[1].password = c[1].password || ""
             test.expect(res).toEqual(c[1]);
         });
     });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.