CVE-2022-0686: 
JavaScript vulnerability analysis and mitigation

CVE-2022-0686 is an authorization bypass vulnerability affecting NPM url-parse versions prior to 1.5.8. The vulnerability was discovered in February 2022 and involves the parser's inability to correctly identify the hostname when no port number is provided in the URL, such as in http://example.com: (Debian LTS).

The vulnerability stems from a parsing issue where url-parse fails to properly handle cases where the port is specified but empty. This could lead to incorrect hostname identification when processing URLs with empty port specifications. The vulnerability has received a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NetApp Advisory).

Successful exploitation of this vulnerability could result in authorization bypass, potentially leading to SSRF attacks, open redirects, or any other vulnerability which depends on the hostname field of parsed URL. The vulnerability allows for disclosure of sensitive information and modification of data (Debian LTS, NetApp Advisory).

The vulnerability has been fixed in url-parse version 1.5.8 and later. Users are advised to upgrade to the latest version. For Debian 10 buster, the fix has been implemented in version 1.2.0-2+deb10u2 (Debian LTS, GitHub Patch).