CVE-2021-29272
Cross-Site Scripting (XSS) vulnerability in bluemonday (Go)
What is CVE-2021-29272 About?
bluemonday before version 1.0.5 is vulnerable to Cross-Site Scripting (XSS) due to an issue with Go's lowercasing mechanism. This flaw defeats a protection against the 'script' string, making it easy for attackers to inject malicious scripts. Successful exploitation can lead to arbitrary code execution in the victim's browser.
Affected Software
Technical Details
The bluemonday library enforces an XSS protection mechanism that typically filters out 'script' tags. However, in versions before 1.0.5, a specific weakness related to Go's lowercasing behavior allows this protection to be bypassed. When an attacker includes an uppercase Cyrillic character within the 'script' string (e.g., <sсript>), Go's lowercasing function converts this Cyrillic character into a Latin 's' that matches the sanitized 'script' tag. This unintentional conversion effectively defeats the intended filter, allowing the malicious script to pass through the sanitizer and be executed in the victim's browser. This bypass enables client-side arbitrary code execution.
What is the Impact of CVE-2021-29272?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or data theft.
What is the Exploitability of CVE-2021-29272?
Exploitation of this XSS vulnerability is relatively easy, requiring an attacker to craft a malicious string containing the specific uppercase Cyrillic character that bypasses the filter. There are no authentication or specific privilege requirements beyond the ability to inject attacker-controlled input into a web application that uses bluemonday for sanitization. This is typically a remote vulnerability, as the attacker injects the payload via a web interface. The primary condition is that the application uses bluemonday for sanitization and processes untrusted input that can contain the bypass character. Risk factors increase if user-generated content or external data is displayed directly without robust output encoding or a correctly functioning HTML sanitizer.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29272?
About the Fix from Resolved Security
The patch introduces the normaliseElementName function, which canonicalizes HTML tag names by lowercasing them and escaping non-ASCII characters, preventing attackers from using visually similar Unicode variants (e.g., Turkish İ in <scrİpt>) to bypass filter logic. This directly addresses CVE-2021-29272, which allowed XSS payloads to evade sanitization by exploiting case folding and Unicode ambiguities in tag names. By normalizing both start and end tag names, the patch ensures consistency and proper policy enforcement, closing the Unicode obfuscation vector.
Available Upgrade Options
- github.com/microcosm-cc/bluemonday
- <1.0.5 → Upgrade to 1.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/microcosm-cc/bluemonday
- https://vuln.ryotak.me/advisories/4.txt
- https://osv.dev/vulnerability/GO-2022-0762
- https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5
- https://nvd.nist.gov/vuln/detail/CVE-2021-29272
- https://github.com/microcosm-cc/bluemonday/issues/111
- https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5
- https://github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee
- https://vuln.ryotak.me/advisories/4
- https://vuln.ryotak.me/advisories/4
What are Similar Vulnerabilities to CVE-2021-29272?
Similar Vulnerabilities: CVE-2023-3446 , CVE-2023-45588 , CVE-2023-28104 , CVE-2023-27909 , CVE-2023-38827
