CVE-2021-26539
internationalized domain name (IDN) vulnerability in sanitize-html (npm)
What is CVE-2021-26539 About?
This vulnerability in Apostrophe Technologies `sanitize-html` allows attackers to bypass hostname whitelist validation for iframe elements by leveraging improper handling of Internationalized Domain Names (IDN). This can lead to the embedding of unauthorized content. Exploitation requires crafting specific IDN-based URLs and is of moderate complexity.
Affected Software
Technical Details
The vulnerability in Apostrophe Technologies sanitize-html (before 2.3.1) stems from its improper handling of Internationalized Domain Names (IDN) when validating against the allowedIframeHostnames option. When a hostname within an iframe's src attribute is an IDN, the sanitize-html library fails to correctly normalize or compare it against the whitelist of allowed hostnames. This can happen if the library performs validation on the Punycode representation of the IDN, while the whitelist might contain the Unicode representation, or vice-versa, or some other inconsistency in normalization. An attacker can use an IDN (e.g., xn--example-domain.com which might render as example–domain.com in a browser) that is visually similar or identical to an allowed domain but technically bypasses the comparison logic. This allows the attacker to embed iframe content from a domain that would otherwise be blocked, effectively bypassing the intended security control.
What is the Impact of CVE-2021-26539?
Successful exploitation may allow attackers to embed arbitrary content from unauthorized domains within iframes, leading to content spoofing, phishing attacks, or potentially cross-site scripting (XSS) if the embedded content executes scripts.
What is the Exploitability of CVE-2021-26539?
Exploitation involves crafting malicious input with an Internationalized Domain Name (IDN) in an iframe's src attribute that is intended to be sanitized. The complexity is moderate, requiring an understanding of IDN encoding (Punycode) and how the sanitize-html library processes hostnames. No authentication or special privileges are required on the server-side, as the vulnerability lies in how user-provided input is handled. Remote access is typical, as an attacker would need to submit maliciously crafted content to an application using the library. The core prerequisite is the application's use of sanitize-html with hostname whitelisting for iframes. The likelihood of exploitation increases in applications that allow user-submitted HTML containing iframe elements and have specific hostname restrictions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-26539?
Available Upgrade Options
- sanitize-html
- <2.3.1 → Upgrade to 2.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apostrophecms/sanitize-html/pull/458
- https://github.com/apostrophecms/sanitize-html/pull/458
- https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da
- https://advisory.checkmarx.net/advisory/CX-2021-4308
- https://github.com/apostrophecms/sanitize-html
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
- https://osv.dev/vulnerability/GHSA-rjqq-98f6-6j3r
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
- https://nvd.nist.gov/vuln/detail/CVE-2021-26539
- https://advisory.checkmarx.net/advisory/CX-2021-4308
What are Similar Vulnerabilities to CVE-2021-26539?
Similar Vulnerabilities: CVE-2021-26540 , CVE-2020-25697 , CVE-2019-17498 , CVE-2017-6401
