In https://github.com/dscape/nano/blob/master/lib/nano.js#L64, (.*)@ is being used instead of the non-greedy (.*?)@ or ([^@]*)@ – this matches up until the last occurrence of @, rather than the first. If the URL's path component contains a bare @, the entire hostname and a portion of the path could be stripped. For example, scrub('https://foo:bar@host/foo/bar/@quux') will yield "https://XXXXXX:XXXXXX@quux" instead of "https://XXXXXX:XXXXXX@host/foo/bar/@quux".

I can't see any way to exploit this beyond potentially hiding URL contents in logs, but admittedly haven't investigated closely.

This repository has been merged into apache/couchdb-nano, please continue the discussion here