Vulnerability Database

309,587

Total vulnerabilities in the database

URL parsing in node-forge could lead to undesired behavior.

Impact

The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Patches

forge.util.parseUrl and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.

Workarounds

Ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input.

References

https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/

For more information

If you have any questions or comments about this advisory:

Open an issue in forge
Email us at support@digitalbazaar.com

Published: Jan 8, 2022
Updated: Apr 14, 2023
GHSA: GHSA-gf8q-jrpm-jvxq
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
digitalbazaar / node-forge	-	1.0.0

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo