[GHSA-rqff-837h-mm52] Authorization bypass in url-parse

[ljharb]

Updates

• Affected products

Comments
0.0.x versions (0.0.0 - 0.0.4) are NOT vulnerable because they use Node's built-in url.parse() instead of custom parsing logic:

  // In 0.0.x, the Node.js code path is simply:
  var parse = require('url').parse;

Node's url.parse() correctly handles multiple @ signs by treating the last @ as the auth/host separator:

  // 0.0.4 test:
  const parse = require('url').parse;
  parse('http://user@attacker.com@example.com/');
  // => hostname: 'example.com', auth: 'user@attacker.com'  ✓ CORRECT

In contrast, versions 0.1.0+ use custom regex/rule-based parsing that finds the first @:

• 0.1.x - 0.2.x: Uses "MOARE" (Mother Of All Regular Expressions) that captures at first @
• 1.0.0+: Uses rule-based parsing with address.indexOf('@') which finds first @

Both approaches incorrectly give hostname: 'attacker.com@example.com' instead of example.com.

[Copilot]

Pull request overview

This pull request updates the security advisory GHSA-rqff-837h-mm52 for the url-parse npm package to correct the affected version range, excluding versions 0.0.0-0.0.4 which are not vulnerable to the CVE-2022-0512 authorization bypass vulnerability.

Changes:

• Updated the modified timestamp to reflect the advisory update date
• Changed the introduced version from "0" to "0.1.0" to exclude 0.0.x versions that use Node's built-in url.parse()

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[helixplant]

Hi @ljharb,
We are currently looking into this and should have an answer for you soon.

[asrar-mared]

All validations completed successfully.

• ✔ Advisory structure verified
• ✔ Schema compliance confirmed
• ✔ Workflow checks passed
• ✔ No merge conflicts
• ✔ Security impact reviewed

This PR is ready for immediate merge.
Happy to assist with any follow‑up improvements.

[asrar-mared]

All validations completed successfully.

• ✔ Advisory structure verified
• ✔ Schema compliance confirmed
• ✔ Workflow checks passed
• ✔ No merge conflicts
• ✔ Security impact reviewed

This PR is ready for immediate merge.
Happy to assist with any follow‑up improvements.

[asrar-mared]

"modified": "2023-02-23T22:07:29Z",

[asrar-mared]

Variable files

[advisory-database]

Hi @ljharb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!