Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
The MITRE CVE dictionary describes this issue as: