CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js

Vulnerability

A CRHTLF vulnerability exists in URI.parse() in the URI.js library prior to version 1.19.11. The parser does not strip ASCII tab or newline characters (\r, \n, \t) from the input string, allowing an attacker to smuggle these characters into the URL. This can cause the protocol extraction logic to misinterpret the intended scheme, as the library previously only stripped leading whitespace but not these control characters [1][3].

Exploitation

An attacker can craft a URL containing CR, LF, or TAB characters, such as ja\r\nva\tscript:alert(1). If a user or application using the vulnerable library processes this URL (e.g., by calling URI.parse()), the parser will strip the control characters and treat the input as javascript:alert(1). This bypasses any protocol validation that might have blocked the javascript: scheme, enabling a cross-site scripting (XSS) attack. No authentication is required, and the attack can be delivered through any vector that supplies user-controlled URLs to the library [3][4].

Impact

Successful exploitation leads to XSS, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in theft of session cookies, credential harvesting, or other client-side attacks. The attack is performed with the privileges of the user running the application that uses URI.js [2][4].

Mitigation

Upgrade to URI.js version 1.19.11 or later, released on April 5, 2022, which introduces the URI.ascii_tab_whitespace regex and strips \r, \n, and \t characters from the input before parsing [3]. No workaround is available if the library is used for URL parsing. The vulnerability was disclosed via the huntr.dev bug bounty platform [4].