From e6fa43422c52f34c73146552ec9916125dc59525 Mon Sep 17 00:00:00 2001
From: Luigi Pinca <luigipinca@gmail.com>
Date: Sun, 13 Feb 2022 20:21:27 +0100
Subject: [PATCH] [security] Add credits for incorrect handling of userinfo
 vulnerability

---
 SECURITY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index f85d48f..f3e7892 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -33,6 +33,14 @@ acknowledge your responsible disclosure, if you wish.
 
 ## History
 
+> Incorrect handling of username and password can lead to authorization bypass.
+
+- **Reporter credits**
+  - ranjit-git
+  - GitHub: [@ranjit-git](https://github.com/ranjit-git)
+- Huntr report: https://www.huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b/
+- Fixed in: 1.5.6
+
 > url-parse mishandles certain uses of a single (back) slash such as https:\ &
 > https:/ and interprets the URI as a relative path. Browsers accept a single
 > backslash after the protocol, and treat it as a normal slash, while url-parse