[SECURITY] [DLA 4413-1] node-url-parse security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4413-1] node-url-parse security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 16 Dec 2025 20:11:49 +0530
Message-id: <[🔎] CAPP0f94q-naD_c84aNhcT3pJFHX7=s8f72hmxpzif84zwE9aSQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4413-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
December 16, 2025                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : node-url-parse
Version        : 1.5.3-1+deb11u3
CVE ID         : CVE-2022-0639

It was found that in node-url-parse, a Node.js module used to parse
URLs, an incorrect conversion of `@` characters in protocol in the
`href` field can lead to lead to failure to properly identify the
hostname, which in turn could result in authorization bypass.

For Debian 11 bullseye, this problem has been fixed in version
1.5.3-1+deb11u3.

We recommend that you upgrade your node-url-parse packages.

For the detailed security status of node-url-parse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-url-parse

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmlBb14ACgkQgj6WdgbD
S5YruA/9GDLJunpo4uvbwYVbt0PMtVSNGNcrceCVLDsZdzd3zbSpnPGzcXyRrab8
/Sf+EQgj/36xWNiAAyauz0ZufQNIAiX7fFbVnls0iAYq7hboRxHUrvrv0Z0+vfJk
TG6hxUQtQ5ihRyboTt++Wi+uPx8CgwmAiTOAdGLCjS66javHzFF9+8o0ZXjBBIsr
LpFsEHsfHeSOuu+yMeLx1Qi+8/sFGOew2oe+7c7E+nMuoCkAPyc606w/ZEFHMRay
VwEgtnsjsRSptO9PgWN3KGUxq4xeoMIq7eVtWpPIGP+Qp27veuGQ0uCCFw97qGXJ
+dWpz0N6h/4zsWtrm2mkN+wLeqsaawJuMY74CjojavdpV8jt3oFKH80YaW5u6BS+
ejDcm6pFsLHlddhykh4HfToK2RtKfEygsO4yR6iCLeb1PWQdr9WtU5wBIZs9EQY+
nt7FGwXIuFlB14Q4Gyp9R02FoZxIFtphjD6kXxSWZEp2sEa9940xRctxT0hFhHsm
bwka1tNiwUrC09TTCPg28bHD1hIAzO5ddVVMMtiGx3wllgQGAeIn9nm3MxHoaGya
9YkYhqDU93ewRQmO/zbIla7oX66LXiVYei7GTRRTRvj9Ly+bfFwZf1GYQErxpfIA
CnIKCuvaqu1B04Db3Iz1iwwbYYhJaLIPwDC8m0Pb6lBw28e1Y/c=
=gjQh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4412-1] glib2.0 security update
Next by Date: [SECURITY] [DLA 4414-1] webkit2gtk security update
Previous by thread: [SECURITY] [DLA 4412-1] glib2.0 security update
Next by thread: [SECURITY] [DLA 4414-1] webkit2gtk security update
Index(es):
- Date
- Thread