CVE-2018-12123

Summary

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Affected Software

VendorProductVersion RangeStatus
The Node.js ProjectNode.jsAll versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0affected

Weaknesses

  • CWE-115: CWE-115: Misinterpretation of Input

ADP Enrichment

CVE Program Container

Additional References

References