CVE-2022-0691 – CVE-2022-0691 is an authorization bypass vulner... (How to Fix)

Q: What is the severity of CVE-2022-0691?

CVE-2022-0691 has a CVSS score of 9.8 (CRITICAL). CVE-2022-0691 is an authorization bypass vulnerability in the url-parse npm package where attackers can manipulate URL parsing to bypass authorization controls. This affects any application using vulnerable versions of url-parse for URL parsing and authorization logic. The vulnerability allows attackers to access resources they shouldn't have permission to view or modify.

📋 TL;DR

CVE-2022-0691 is an authorization bypass vulnerability in the url-parse npm package where attackers can manipulate URL parsing to bypass authorization controls. This affects any application using vulnerable versions of url-parse for URL parsing and authorization logic. The vulnerability allows attackers to access resources they shouldn't have permission to view or modify.

💻 Affected Systems

Products:

url-parse npm package
Applications using url-parse for URL parsing

Versions: All versions prior to 1.5.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must use url-parse for parsing URLs that influence authorization decisions. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

Url Parse by Url Parse Project

View all CVEs affecting Url Parse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, allowing attackers to access sensitive data, modify critical configurations, or execute unauthorized administrative functions.

🟠

Likely Case

Unauthorized access to restricted application resources, data leakage, or modification of user-specific data through manipulated URL parameters.

🟢

If Mitigated

Limited impact with proper input validation and authorization checks independent of URL parsing, potentially resulting in failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to craft specific URL parameters that bypass authorization checks. The vulnerability is well-documented with public proof-of-concept examples available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.9 and later

Vendor Advisory: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63

Restart Required: No

Instructions:

1. Update url-parse dependency to version 1.5.9 or higher. 2. Run 'npm update url-parse' or update package.json to specify 'url-parse': '^1.5.9'. 3. Rebuild and redeploy affected applications.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation for URL parameters before passing to url-parse

Authorization Bypass Protection

all

Add additional authorization checks independent of URL parsing results

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to detect and block malicious URL patterns
Isolate affected applications behind additional authentication layers and monitor for suspicious access patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/url-parse/package.json for version number. Versions below 1.5.9 are vulnerable.

Check Version:

npm list url-parse | grep url-parse

Verify Fix Applied:

Verify url-parse version is 1.5.9 or higher using 'npm list url-parse' command.

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns with special characters in authorization endpoints
Failed authorization attempts followed by successful access with modified URLs
Access to restricted resources from unexpected user contexts

Network Indicators:

HTTP requests with manipulated URL parameters containing special characters or unexpected structures
Requests bypassing normal authentication flows

SIEM Query:

source="web_server" AND (url="*@*" OR url="*#*" OR url="*?*" OR url="*&*") AND (status=200 OR status=302) AND resource="*/admin*" OR resource="*/restricted*"

📊 Metadata

CVE ID: CVE-2022-0691

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-639

Published: February 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 Patch,Third Party Advisory
https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4 Exploit,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
https://security.netapp.com/advisory/ntap-20220325-0006/ Third Party Advisory
https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 Patch,Third Party Advisory
https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4 Exploit,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
https://security.netapp.com/advisory/ntap-20220325-0006/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0691, you might also want to check these: