Moderate severityNVD Advisory· Published Mar 11, 2022· Updated Sep 16, 2024

Improper Input Validation

CVE-2022-25839

Description

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
url-jsnpm	< 2.1.0	2.1.0

Affected products

url-js/url-jsdescription
ghsa-coords
pkg:npm/url-js
Range: < 2.1.0

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rf54-44jr-q5vfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25839ghsaADVISORY
github.com/duzun/URL.js/commit/9dc9fcc99baa4cbda24403d81a589e9b0f4121d0ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-URLJS-2414030ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000