Authorization Bypass Through User-Controlled Key in medialize/uri.js


Reported on

Feb 14th 2022


Bypass for

urijs fixed the issue for CVE-2021-3647, however an attacker can still exploit the issue due to case-sensitive checks in the earlier patch. Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for that bug.

Proof of Concept

var URI = require('urijs');
var url = new URI("HTTPS:///"); 


  _string: '',
  _parts: {
    protocol: 'HTTPS',
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '/',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  _deferred_build: true


Bypass host-validation checks, open redirect, SSRF etc. - depends on the usage of urijs


add i modifier for case-insensitive checks

We are processing your report and will contact the medialize/uri.js team within 24 hours. 2 years ago
Rohan Sharma submitted a
2 years ago
Rohan Sharma
2 years ago


Submitted the patch and PR:

Rodney Rehm validated this vulnerability 2 years ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm
2 years ago


The fix provided by @r0hansh has been published as version 1.19.8 -

Rodney Rehm marked this as fixed in 1.19.8 with commit 6ea641 2 years ago
Rohan Sharma has been awarded the fix bounty
This vulnerability will not receive a CVE
URI.js#L516 has been validated
to join this conversation