[GHSA-rqff-837h-mm52] Authorization bypass in url-parse

[ljharb]

Updates

• Affected products

Comments
0.0.x versions (0.0.0 - 0.0.4) are NOT vulnerable because they use Node's built-in url.parse() instead of custom parsing logic:

  // In 0.0.x, the Node.js code path is simply:
  var parse = require('url').parse;

Node's url.parse() correctly handles multiple @ signs by treating the last @ as the auth/host separator:

  // 0.0.4 test:
  const parse = require('url').parse;
  parse('http://user@attacker.com@example.com/');
  // => hostname: 'example.com', auth: 'user@attacker.com'  ✓ CORRECT

In contrast, versions 0.1.0+ use custom regex/rule-based parsing that finds the first @:

• 0.1.x - 0.2.x: Uses "MOARE" (Mother Of All Regular Expressions) that captures at first @
• 1.0.0+: Uses rule-based parsing with address.indexOf('@') which finds first @

Both approaches incorrectly give hostname: 'attacker.com@example.com' instead of example.com.

[Copilot]

Pull request overview

This pull request updates the security advisory GHSA-rqff-837h-mm52 for the url-parse npm package to correct the affected version range, excluding versions 0.0.0-0.0.4 which are not vulnerable to the CVE-2022-0512 authorization bypass vulnerability.

Changes:

• Updated the modified timestamp to reflect the advisory update date
• Changed the introduced version from "0" to "0.1.0" to exclude 0.0.x versions that use Node's built-in url.parse()

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[helixplant]

Hi @ljharb,
We are currently looking into this and should have an answer for you soon.