CVE-2020-8910: 
JavaScript vulnerability analysis and mitigation

A URL parsing issue was discovered in goog.uri of the Google Closure Library versions up to and including v20200224. The vulnerability, tracked as CVE-2020-8910, allows attackers to send malicious URLs to be parsed by the library and return the wrong authority. The issue was addressed with the release of version v20200315 (Google Closure).

The vulnerability stems from improper handling of URL parsing in the goog.uri component. The issue is related to a regex pattern in the URI parser that didn't properly handle authority terminating characters. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The weakness has been classified as CWE-625 (Permissive Regular Expression) (NVD).

When exploited, the vulnerability allows an attacker to manipulate URL parsing results, potentially leading to incorrect authority identification in parsed URLs. This could result in security implications where URL authority validation is critical for security decisions (NVD).

The recommended mitigation is to update the Google Closure Library to version v20200315 or later. The fix was implemented through a patch that corrects the authority parsing in the Closure URI parser (Closure Patch).