URL Confusion When Scheme Not Supplied in medialize/uri.js
Description
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-1233: URI.js before 1.19.11 misinterprets URLs without a scheme (e.g., "/\") as valid authority URIs, enabling spoofing attacks.
Vulnerability
In GitHub repository medialize/uri.js prior to version 1.19.11, the URI.parse() function improperly handles URLs when no scheme is supplied and excessive slashes (or backslashes) are present. Specifically, the URL string is not normalized to a proper scheme-relative form, which can lead to ambiguous parsing. This was fixed by adding a regex replacement to reduce multiple slashes/backslashes to // before further processing, as shown in the commit [2] and described in the security update [1]. Affected versions: all before 1.19.11.
Exploitation
An attacker can craft a URL without a scheme (e.g., :/\\//user@attacker.com or //\attacker.com) that, when parsed by URI.js, could be interpreted as a scheme-relative URL pointing to an attacker-controlled host. No authentication or special network position is required; the attacker must only supply such a URL to an application using the vulnerable library to parse user-supplied URLs. The fix ensured that excessive slashes and backslashes are reduced to the standard // prefix before protocol extraction [2].
Impact
Successful exploitation allows an attacker to trick the URL parser into misidentifying the host portion of a URL, potentially leading to open redirect, SSRF, or spoofing of trusted domains. The parser would misinterpret the URL as having a scheme-relative authority (starting with //) when the original intent might have been a path-relative or protocol-relative URL. This could be used in phishing attacks or to bypass URL validation logic in applications relying on URI.js [3].
Mitigation
The vulnerability is fixed in version 1.19.11, released on or around April 4, 2022. Users must upgrade to version 1.19.11 or later. The fix is available in the commit at [2], and additional details are provided in the Huntr report [4]. No workaround exists; upgrading is the only recommended mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
urijsnpm | < 1.19.11 | 1.19.11 |
Affected products
2- medialize/medialize/uri.jsv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g694-m8vq-gv9hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1233ghsaADVISORY
- github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277ghsax_refsource_MISCWEB
- huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.