GHSA-gf8q-jrpm-jvxq: 
JavaScript vulnerability analysis and mitigation

A vulnerability was identified in node-forge's URL parsing functionality affecting versions prior to 1.0.0. The issue, tracked as GHSA-gf8q-jrpm-jvxq and CVE-2022-0122, was discovered and disclosed on January 6, 2022. The vulnerability exists in the forge.util.parseUrl API, where improper parsing of certain inputs could result in undesired behavior (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is categorized as CWE-601 (URL Redirection to Untrusted Site), indicating potential open redirect vulnerabilities. The core problem lies in the regex implementation used for URL parsing in the forge.util.parseUrl API (NVD).

The vulnerability could lead to undesired behavior when parsing URLs, potentially resulting in URL redirection to untrusted sites. The impact is considered medium severity, with potential for both confidentiality and integrity breaches, though no availability impact has been noted (NVD).

The vulnerability has been patched in version 1.0.0 of node-forge, where the forge.util.parseUrl and related legacy URL APIs were completely removed in favor of the more modern WHATWG URL Standard API. For users unable to upgrade immediately, the recommended workaround is to ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input (GitHub Advisory).