Open Redirect in medialize/uri.js
Description
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open redirect vulnerability in URI.js before 1.19.10 allows attackers to redirect users to arbitrary URLs via crafted URIs with excessive colons.
Vulnerability
An open redirect vulnerability exists in the URI.js JavaScript library (npm package urijs) prior to version 1.19.10. The bug resides in the URL parsing logic, specifically in the regular expression that handles the scheme delimiter. When a URI contains excessive colons in the protocol separator (e.g., http::// or http::\\), the parser incorrectly normalizes the string, potentially allowing an attacker to craft a URL that appears to point to a legitimate domain but actually redirects to an arbitrary external site. The issue was introduced in earlier versions and is fixed in commit a8166fe02f3af6dc1b2b888dcbb807155aad9509 [2][3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that uses an excessive number of colons in the scheme delimiter, such as http:://attacker.com or http::\\attacker.com. When URI.js processes such a URL, the flawed regex ^(https?|ftp|wss?)?:[/\\]* (before the fix) would match the scheme but fail to properly consume the extra colons, leading to an incorrect normalization that treats the attacker-controlled host as part of the URL. The attacker then needs to trick a user into clicking the crafted link, for example via a phishing email or a malicious website. No authentication or special privileges are required; the vulnerability is triggered purely by parsing the malicious URI [2][3].
Impact
Successful exploitation allows an attacker to perform an open redirect, where the user's browser is redirected to an arbitrary external domain controlled by the attacker. This can be used for phishing attacks, credential theft, or bypassing URL-based security checks. The impact is limited to redirection; the attacker does not gain code execution or direct access to the victim's system. The vulnerability affects any application that uses URI.js to parse and handle user-supplied URLs without additional validation [1][2].
Mitigation
The vulnerability is fixed in URI.js version 1.19.10, released on March 5, 2022 [4]. Users should upgrade to this version or later immediately. No workaround is documented; applications that cannot upgrade should implement additional server-side or client-side validation of redirect URLs to ensure they point to trusted domains. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
urijsnpm | < 1.19.10 | 1.19.10 |
Affected products
2- medialize/medialize/uri.jsv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8h2f-7jc4-7m3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0868ghsaADVISORY
- github.com/medialize/URI.js/releases/tag/v1.19.10ghsaWEB
- github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509ghsax_refsource_MISCWEB
- huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.