CVE-2021-23648
Cross-site Scripting (XSS) vulnerability in sanitize-url (npm)
What is CVE-2021-23648 About?
The `@braintree/sanitize-url` package, prior to version 6.0.0, contains a Cross-site Scripting (XSS) vulnerability due to improper sanitization in its `sanitizeUrl` function. This flaw allows attackers to bypass security checks and inject malicious scripts. The impact ranges from data theft to unauthorized actions, and exploitation is relatively straightforward with crafted inputs.
Affected Software
Technical Details
The sanitizeUrl function within the @braintree/sanitize-url package is designed to filter out dangerous URLs. However, in versions before 6.0.0, the sanitization logic is flawed, allowing certain URL schemes or constructs that are typically considered unsafe to pass through without adequate neutralization. An attacker can craft a URL containing embedded JavaScript (e.g., javascript:alert(1) or similar encoding variations) that the sanitizeUrl function fails to identify as malicious. When an application later uses this 'sanitized' but still malicious URL (e.g., in an <a> tag's href attribute), the embedded JavaScript code is executed in the user's browser, leading to an XSS attack.
What is the Impact of CVE-2021-23648?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, hijack user sessions, deface web content, or redirect users to malicious sites.
What is the Exploitability of CVE-2021-23648?
Exploitation of this XSS vulnerability is of low to moderate complexity. It requires an attacker to provide input that includes a crafted malicious URL which passes through the sanitizeUrl function. No authentication is typically required for the attacker to supply this input, depending on how the application uses the library (e.g., user-submitted links). This is a remote exploitation scenario, where the attacker delivers the malicious URL (often through another vulnerable input vector) and the victim's browser executes it. The primary prerequisite is that the application uses the vulnerable sanitize-url version and renders URLs processed by it. No special privileges are required. The risk factor increases in applications that accept untrusted URL inputs and rely solely on sanitize-url for protection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23648?
Available Upgrade Options
- @braintree/sanitize-url
- <6.0.0 → Upgrade to 6.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/braintree/sanitize-url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
- https://github.com/braintree/sanitize-url/blob/main/src/index.ts%23L11
- https://osv.dev/vulnerability/GHSA-hqq7-2q2v-82xq
- https://github.com/braintree/sanitize-url/blob/main/src/index.ts%23L11
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
- https://github.com/braintree/sanitize-url/pull/40/commits/e5afda45d9833682b705f73fc2c1265d34832183
- https://snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-2339882
- https://snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-2339882
What are Similar Vulnerabilities to CVE-2021-23648?
Similar Vulnerabilities: CVE-2022-48345 , CVE-2022-23461 , CVE-2023-28435 , CVE-2023-38406 , CVE-2023-45136
