CVE-2023-22493: 
JavaScript vulnerability analysis and mitigation

CVE-2023-22493 is a Server-Side Request Forgery (SSRF) vulnerability discovered in RSSHub. The vulnerability was disclosed on January 11, 2023, affecting versions before commit a66cbcf. This high-severity vulnerability (CVSS score 8.8) allows attackers to send arbitrary HTTP requests from the server to other servers or resources on the network (GitHub Advisory).

The vulnerability occurs when an attacker sends a request to affected routes with a malicious URL. By controlling a domain (e.g., ATTACKER.HOST) and using URL-encoded characters (%2F and %23), attackers can modify the base URL from https://${input}.defined.host to https://ATTACKER.HOST/#.defined.host. This manipulation allows the server to send requests to attacker-controlled domains. The vulnerability has a CVSS v3.1 base score of 8.8 with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L (GitHub Advisory).

The vulnerability enables attackers to send requests to internal or external servers and resources on the network, potentially gaining access to sensitive information that would not normally be accessible. This capability significantly amplifies the attack's impact by allowing unauthorized access to protected resources (GitHub Advisory).

The vulnerability was patched in commit a66cbcf. The fix includes implementing a new configuration option 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' which is disabled by default, preventing users from providing domains as parameters to routes that are not in their allow list (GitHub PR).