CVE-2020-8124: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2020-8124) affects the url-parse npm package versions 1.4.4 and earlier. It was discovered and disclosed on February 4, 2020, and involves insufficient validation and sanitization of user input that could allow attackers to bypass security checks (Ubuntu Security, Debian Tracker).

The vulnerability is characterized as an input validation flaw in the node.js-url-parse package, which results in the URL being incorrectly set to the document location protocol. The vulnerability has been assigned a CVSS 3.1 base score of 5.3 (Medium), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality, Low impact on integrity, and No impact on availability (Ubuntu Security).

The vulnerability could allow attackers to bypass security checks due to improper validation of the protocol of the returned URL (Red Hat Portal).

Multiple vendors have released fixes for this vulnerability. Ubuntu has fixed versions available for various releases: Ubuntu 18.04 LTS (bionic) received version 1.2.0-1ubuntu0.1, and Ubuntu 16.04 LTS (xenial) received version 1.0.5-2ubuntu0.1~esm2. Debian has also released fixes in multiple versions: bullseye (1.5.3-1+deb11u2), bookworm (1.5.10+~1.4.8-2), and sid/trixie (1.5.10+~1.4.8-3) (Ubuntu Security, Debian Tracker).