VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 3, 2022· Updated Apr 22, 2025

Improper Input Validation in URI.js

CVE-2022-24723

Description

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

URI.js before 1.19.9 fails to remove leading whitespace from URLs, causing improper parsing and potential misrouting.

Vulnerability

URI.js before version 1.19.9 does not strip leading whitespace from the beginning of the protocol in URLs, leading to incorrect parsing [1][4]. All versions prior to 1.19.9 are affected [3].

Exploitation

An attacker can provide a URL with leading whitespace characters (e.g., space, tab) before the protocol. URI.js misparses such URLs, but no specific exploit scenario is detailed in available references.

Impact

Improper URL parsing could result in security bypasses or misrouting of HTTP requests, depending on how the library is used. The severity is context-dependent.

Mitigation

Upgrade to URI.js version 1.19.9 or later, released March 3, 2022 [3]. As a workaround, remove leading whitespace from user-supplied strings before passing them to URI.parse() [1].

References
  1. NVD - CVE-2022-24723
  2. Release 1.19.9 (March 3rd 2022) · medialize/URI.js
  3. fix(parse): remove leading whitespace · medialize/URI.js@86d1052

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
urijsnpm
< 1.19.91.19.9

Affected products

2
  • ghsa-coords
    pkg:npm/urijs
    Range: < 1.19.9
  • medialize/URI.jsv5
    Range: < 1.19.9

Patches

1
86d10523a6f6

fix(parse): remove leading whitespace

https://github.com/medialize/URI.jsRodney RehmMar 3, 2022via ghsa
commit
2 files changed · +53 0
  • src/URI.js+4 0 modified
    @@ -239,6 +239,7 @@
     // balanced parens inclusion (), [], {}, <>
     parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
   };
+  URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
   // http://www.iana.org/assignments/uri-schemes.html
   // http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
   URI.defaultPorts = {
@@ -494,6 +495,9 @@
         preventInvalidHostname: URI.preventInvalidHostname
       };
     }
+
+    string = string.replace(URI.leading_whitespace_expression, '')
+
     // [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]
 
     // extract fragment
  • test/urls.js+49 0 modified
    @@ -2571,6 +2571,55 @@ var urls = [{
         idn: false,
         punycode: false
       }
+    }, {
+      name: 'leading white space',
+      url: '\t\bhttp://www.example.org/?hello=world',
+      _url: 'http://www.example.org/?hello=world',
+      parts: {
+        protocol: 'http',
+        username: null,
+        password: null,
+        hostname: 'www.example.org',
+        port: null,
+        path: '/',
+        query: 'hello=world',
+        fragment: null
+      },
+      accessors: {
+        protocol: 'http',
+        username: '',
+        password: '',
+        port: '',
+        path: '/',
+        query: 'hello=world',
+        fragment: '',
+        resource: '/?hello=world',
+        authority: 'www.example.org',
+        origin: 'http://www.example.org',
+        userinfo: '',
+        subdomain: 'www',
+        domain: 'example.org',
+        tld: 'org',
+        directory: '/',
+        filename: '',
+        suffix: '',
+        hash: '',
+        search: '?hello=world',
+        host: 'www.example.org',
+        hostname: 'www.example.org'
+      },
+      is: {
+        urn: false,
+        url: true,
+        relative: false,
+        name: true,
+        sld: false,
+        ip: false,
+        ip4: false,
+        ip6: false,
+        idn: false,
+        punycode: false
+      }
     }
 ];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.