Protocol/Hostname spoofing via Improper Input Validation in medialize/uri.js


Reported on

Feb 27th 2022


The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request.

Proof of Concept

const url = require('urijs');
console.log(new url("\b"))
// console.log(new url("\bjavascript:alert(1)"))


  _string: '',
  _parts: {
    protocol: undefined,
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '\b',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  _deferred_build: true


function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url

Write and use a function to remove white space characters as above.

We are processing your report and will contact the medialize/uri.js team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the medialize/uri.js team and are waiting to hear back 2 years ago
We have sent a follow up to the medialize/uri.js team. We will try again in 4 days. 2 years ago
Rodney Rehm validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm marked this as fixed in 1.19.9 with commit 86d105 2 years ago
The fix bounty has been dropped
Rodney Rehm
2 years ago

Maintainer contains the fix, thanks for the report!

to join this conversation