CVE-2022-2216 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2022-2216?

CVE-2022-2216 has a CVSS score of 9.8 (CRITICAL). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the parse-url npm package versions prior to 7.0.0. Attackers can exploit this to make the server send arbitrary HTTP requests to internal or external systems, potentially accessing sensitive data or services. Any application using vulnerable versions of parse-url for URL parsing is affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the parse-url npm package versions prior to 7.0.0. Attackers can exploit this to make the server send arbitrary HTTP requests to internal or external systems, potentially accessing sensitive data or services. Any application using vulnerable versions of parse-url for URL parsing is affected.

💻 Affected Systems

Products:

parse-url npm package

Versions: All versions prior to 7.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses parse-url to process user-controlled URLs without additional validation is vulnerable.

📦 What is this software?

Parse Url by Parse Url Project

View all CVEs affecting Parse Url →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration from cloud metadata services, or lateral movement to other systems via internal service exploitation.

🟠

Likely Case

Unauthorized access to internal HTTP services, port scanning of internal networks, or accessing cloud metadata to obtain credentials.

🟢

If Mitigated

Limited to external resource consumption or failed requests if proper network segmentation and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and require minimal technical skill when public PoCs exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.0

Vendor Advisory: https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3

Restart Required: No

Instructions:

1. Update package.json to require parse-url version 7.0.0 or higher. 2. Run 'npm update parse-url' or 'yarn upgrade parse-url'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of user-supplied URLs before passing to parse-url, rejecting URLs with internal IP addresses or restricted schemes.

Network Segmentation

all

Restrict outbound network access from affected servers to only necessary external services using firewall rules.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SSRF protection rules to block malicious requests.
Deploy network monitoring to detect unusual outbound requests from the affected server.

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for parse-url version. If version is below 7.0.0, the system is vulnerable.

Check Version:

npm list parse-url | grep parse-url

Verify Fix Applied:

After updating, verify parse-url version is 7.0.0 or higher using 'npm list parse-url' or checking package.json.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) or cloud metadata services (169.254.169.254).
Multiple failed connection attempts to non-standard ports from the application server.

Network Indicators:

HTTP requests from server to internal network segments that don't match normal application behavior.
Traffic to cloud metadata endpoints from application servers.

SIEM Query:

source="application_logs" AND (url="*://10.*" OR url="*://172.16.*" OR url="*://172.31.*" OR url="*://192.168.*" OR url="*://169.254.169.254*")

📊 Metadata

CVE ID: CVE-2022-2216

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3 Patch,Third Party Advisory
https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1 Exploit,Patch,Third Party Advisory
https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3 Patch,Third Party Advisory
https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2216, you might also want to check these: