CVE-2021-26540
hostname whitelist bypass vulnerability in sanitize-html (npm)
What is CVE-2021-26540 About?
This vulnerability in Apostrophe Technologies sanitize-html allows attackers to bypass hostname whitelist validation for iframe elements. This bypass occurs when 'allowIframeRelativeUrls' is true, enabling the embedding of content from unauthorized domains. Exploitation requires crafting specific `src` values and is of moderate difficulty.
Affected Software
Technical Details
The vulnerability in Apostrophe Technologies sanitize-html (before 2.3.2) occurs when the allowedIframeHostnames option is set to restrict which hostnames can be used for iframes, but the allowIframeRelativeUrls option is also set to true. The sanitization logic fails to properly validate hostnames when relative URLs are permitted, specifically when an src value starts with /\example.com. This specific pattern, or similar variants, is not correctly interpreted as an absolute URL that requires hostname validation against allowedIframeHostnames. Instead, it might be resolved or parsed in a way that allows it to bypass the intended hostname check, tricking the sanitizer into believing it's a relative URL or a valid host, thereby permitting unapproved domains to be used in iframe src attributes.
What is the Impact of CVE-2021-26540?
Successful exploitation may allow attackers to embed arbitrary content from unauthorized domains within iframes, leading to content spoofing, phishing attacks, or potentially cross-site scripting (XSS) if the embedded content executes scripts.
What is the Exploitability of CVE-2021-26540?
Exploitation involves crafting malicious input that will be sanitized by the vulnerable sanitize-html library. The complexity is moderate, requiring an understanding of how the sanitization logic processes URLs and the specific bypass pattern for hostname validation. No authentication or special privileges are required on the server-side, as the vulnerability lies in how user-provided input is handled. Remote access is typical, as an attacker would need to submit maliciously crafted content to an application using the library. The critical prerequisite is that the allowIframeRelativeUrls option must be set to true on the target system. The likelihood of exploitation increases in applications that dynamically generate or process user-submitted HTML content, especially if they aim to restrict iframe sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-26540?
Available Upgrade Options
- sanitize-html
- <2.3.2 → Upgrade to 2.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mjxr-4v3x-q3m4
- https://advisory.checkmarx.net/advisory/CX-2021-4309
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
- https://advisory.checkmarx.net/advisory/CX-2021-4309
- https://nvd.nist.gov/vuln/detail/CVE-2021-26540
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
- https://github.com/apostrophecms/sanitize-html/pull/460
- https://github.com/apostrophecms/sanitize-html/pull/460
What are Similar Vulnerabilities to CVE-2021-26540?
Similar Vulnerabilities: CVE-2021-26539 , CVE-2021-44586 , CVE-2020-25697 , CVE-2019-17498
