Login Sign Up

CVE-2021-27516

7.5 HIGH

📋 TL;DR

URI.js versions before 1.19.6 incorrectly parse URIs containing backslashes (like http:\/), treating them as relative paths instead of absolute URLs. This can lead to security bypasses in applications that rely on URI validation. Any application using vulnerable URI.js versions for URL parsing or validation is affected.

💻 Affected Systems

Products:
  • URI.js (urijs) library
Versions: All versions before 1.19.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or service using URI.js for URL parsing without additional validation is vulnerable.

📦 What is this software?

Uri.js by Uri.js Project

View all CVEs affecting Uri.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass URL validation, security filters, or access controls by crafting malicious URIs with backslashes, potentially leading to SSRF, open redirects, or authentication bypass.

🟠

Likely Case

Most commonly, this could allow bypassing URL validation in web applications, leading to open redirect vulnerabilities or manipulation of URL-based security controls.

🟢

If Mitigated

With proper input validation and security controls, the impact is limited to potential parsing inconsistencies rather than critical security breaches.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to use URI.js for parsing user-supplied URLs. The vulnerability is simple to trigger with crafted input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.6

Vendor Advisory: https://github.com/medialize/URI.js/releases/tag/v1.19.6

Restart Required: No

Instructions:

1. Update URI.js dependency to version 1.19.6 or later. 2. Run 'npm update urijs' or update package.json to 'urijs': '^1.19.6'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement custom validation to reject or normalize URIs containing backslashes before passing to URI.js.

🧯 If You Can't Patch

  • Implement strict input validation to reject URIs containing backslashes in URL schemes
  • Use alternative URL parsing libraries that properly handle backslashes

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for URI.js version. If version is below 1.19.6, the system is vulnerable.

Check Version:

npm list urijs

Verify Fix Applied:

After updating, verify the version is 1.19.6 or higher and test that URIs with backslashes are properly rejected or normalized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL patterns with backslashes in HTTP requests
  • Failed URL validation attempts with backslash characters

Network Indicators:

  • HTTP requests containing backslashes in URL schemes
  • Redirects to unexpected domains

SIEM Query:

source="web_logs" AND (url="*http:\\/*" OR url="*https:\\/*")

📊 Metadata

CVE ID: CVE-2021-27516
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: February 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON