Critical severityNVD Advisory· Published Sep 14, 2022· Updated Aug 3, 2024

Server-Side Request Forgery (SSRF) in ionicabizau/parse-url

CVE-2022-2900

Description

Server-Side Request Forgery in parse-url before 8.1.0 allows attackers to probe internal resources via crafted URLs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Server-Side Request Forgery in parse-url before 8.1.0 allows attackers to probe internal resources via crafted URLs.

Vulnerability

CVE-2022-2900 is a Server-Side Request Forgery (SSRF) vulnerability in the parse-url npm package, affecting versions prior to 8.1.0. The flaw originates from insufficient validation of user-supplied URLs, allowing an attacker to craft a malicious URL that bypasses security checks and forces the server to make requests to unintended destinations [1]. The fix introduced input length limits and stricter validation for invalid URLs or parsing failures [2].

Exploitation

An attacker can exploit this SSRF by providing a specially crafted URL to an application that uses parse-url for URL parsing. No authentication is required if the library is exposed to untrusted input. The attack can be triggered via server-side code that processes URLs from user requests, such as in a web application that fetches resources based on user input [3]. The vulnerability can be leveraged to access internal services, cloud metadata endpoints, or other sensitive resources within the network.

Impact

Successful exploitation allows an attacker to perform network reconnaissance, access internal systems, or exfiltrate sensitive data. In cloud environments, this could lead to retrieval of instance metadata credentials. The impact is amplified if the server has access to other internal services [4].

Mitigation

The vulnerability has been patched in parse-url version 8.1.0. Users are strongly advised to update immediately. If updating is not possible, input validation and filtering of URLs can reduce risk, but updating is the recommended solution [2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
parse-urlnpm	< 8.1.0	8.1.0

Affected products

unshiftio/url-parsellm-fuzzy
Range: <8.1.0
ghsa-coords
pkg:npm/parse-url
Range: < 8.1.0
ionicabizau/ionicabizau/parse-urlv5
Range: unspecified

Patches

b88c81df8f4c

Throw if url is invalid. Add a length limit.

https://github.com/ionicabizau/parse-urlIonică BizăuAug 3, 2022via ghsa

commit

2 files changed · +49 −13

lib/index.js+17 −3 modified

@@ -32,18 +32,27 @@ import normalizeUrl from "normalize-url";
  *    - `search` (String): The url querystring value.
  *    - `href` (String): The input url.
  *    - `query` (Object): The url querystring, parsed as object.
+ *    - `parse_failed` (Boolean): Whether the parsing failed or not.
  */
 const parseUrl = (url, normalize = false) => {
 
     // Constants
     const GIT_RE = /(^(git@|http(s)?:\/\/)([\w\.\-@]+)(\/|:))(([\~,\.\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/
 
-    if (typeof url !== "string" || !url.trim()) {
-        const err = new Error("Invalid url.")
+    const throwErr = msg => {
+        const err = new Error(msg)
         err.subject_url = url
         throw err
     }
 
+    if (typeof url !== "string" || !url.trim()) {
+        throwErr("Invalid url.")
+    }
+
+    if (url.length > parseUrl.MAX_INPUT_LENGTH) {
+        throwErr("Input exceeds maximum length. If needed, change the value of parseUrl.MAX_INPUT_LENGTH.")
+    }
+
     if (normalize) {
         if (typeof normalize !== "object") {
             normalize = {
@@ -56,7 +65,7 @@ const parseUrl = (url, normalize = false) => {
     const parsed = parsePath(url)
 
     // Potential git-ssh urls
-    if (parsed.protocol === "file") {
+    if (parsed.parse_failed) {
         const matched  = parsed.href.match(GIT_RE)
         if (matched) {
             parsed.protocols = ["ssh"]
@@ -65,10 +74,15 @@ const parseUrl = (url, normalize = false) => {
             parsed.host = matched[4]
             parsed.user = "git"
             parsed.pathname = `/${matched[6]}`
+            parsed.parse_failed = false
+        } else {
+            throwErr("URL parsing failed.")
         }
     }
 
     return parsed;
 }
 
+parseUrl.MAX_INPUT_LENGTH = 2048
+
 export default parseUrl;

test/index.js+32 −10 modified

@@ -17,6 +17,7 @@ const INPUTS = [
           , hash: ""
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -32,6 +33,7 @@ const INPUTS = [
           , hash: ""
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -47,6 +49,7 @@ const INPUTS = [
           , hash: "some-hash?foo=bar"
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -62,6 +65,7 @@ const INPUTS = [
           , hash: ""
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -77,6 +81,7 @@ const INPUTS = [
           , hash: ""
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -92,6 +97,7 @@ const INPUTS = [
           , hash: ""
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -107,22 +113,24 @@ const INPUTS = [
           , hash: "http://a:1:1"
           , search: ""
           , query: {}
+          , parse_failed: false
         }
     ]
   , [
         ["git@github.my-enterprise.com:my-org/my-repo.git", false],
         {
             protocols: [ 'ssh' ]
-            , protocol: 'ssh'
-            , port: ''
-            , resource: 'github.my-enterprise.com'
-            , host: 'github.my-enterprise.com'
-            , user: 'git'
-            , password: ''
-            , pathname: '/my-org/my-repo.git'
-            , hash: ''
-            , search: ''
-            , query: {}
+          , protocol: 'ssh'
+          , port: ''
+          , resource: 'github.my-enterprise.com'
+          , host: 'github.my-enterprise.com'
+          , user: 'git'
+          , password: ''
+          , pathname: '/my-org/my-repo.git'
+          , hash: ''
+          , search: ''
+          , query: {}
+          , parse_failed: false
         }
     ]
   , [
@@ -138,6 +146,7 @@ const INPUTS = [
         , hash: ""
         , search: ""
         , query: {}
+        , parse_failed: false
       }
   ]
 ];
@@ -165,4 +174,17 @@ tester.describe("check urls", test => {
             parseUrl("")
         }).toThrow(/invalid url/i)
     })
+
+    test.should("throw if url is too long", () => {
+        parseUrl.MAX_INPUT_LENGTH = 10
+        test.expect(() => {
+            parseUrl("https://domain.com/")
+        }).toThrow(/input exceeds maximum length/i)
+    })
+
+    test.should("throw if url is invalid", () => {
+        test.expect(() => {
+            parseUrl("foo")
+        }).toThrow(/url parsing failed/i)
+    })
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j9fq-vwqv-2fm2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-2900ghsaADVISORY
github.com/ionicabizau/parse-url/commit/b88c81df8f4c5168af454eaa4f92afa9349e4e13ghsax_refsource_MISCWEB
huntr.dev/bounties/1b4c972a-abc8-41eb-a2e1-696db746b5fdghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000