Severity: moderate

Hostname spoofing via backslashes in URL



URI.js is a javascript URL mutation library (npm package urijs).

In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

For example the URL\ will incorrectly return if using an affected version. Patched versions correctly return Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants.

Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.


Upgrade to version 1.19.4 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 6th, 2021
  2. reported

    Reported by Anonymous
    Jan 6th, 2021