Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
The MITRE CVE dictionary describes this issue as: