CVE-2022-25887
Regular Expression Denial of Service (ReDoS) vulnerability in sanitize-html (npm)
What is CVE-2022-25887 About?
This vulnerability affects `sanitize-html` versions prior to 2.7.1, causing a Regular Expression Denial of Service (ReDoS) due to an insecure global regular expression. It allows attackers to trigger excessive processing by supplying specially crafted input, leading to application unresponsiveness. Exploiting this vulnerability is relatively easy, requiring only a malicious string.
Affected Software
Technical Details
The sanitize-html package, in versions before 2.7.1, is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This vulnerability stems from an insecurely constructed global regular expression used for HTML comment removal. A specially crafted input string containing a pathological sequence that interacts poorly with this specific regular expression can cause the regex engine to backtrack excessively. This exponential increase in processing time for relatively small inputs leads to high CPU utilization and application unresponsiveness, effectively resulting in a denial of service.
What is the Impact of CVE-2022-25887?
Successful exploitation may allow attackers to cause applications using the affected package to become unresponsive, leading to a denial of service.
What is the Exploitability of CVE-2022-25887?
Exploitation complexity is low, as it primarily involves providing a malicious input string to an application that utilizes the sanitize-html package. No authentication or elevated privileges are required for exploitation. The vulnerability is often remote, as typical use cases involve sanitizing user-supplied content from web forms or APIs. The critical prerequisite is that the application uses a vulnerable version of sanitize-html and processes untrusted input. The likelihood of exploitation increases in applications that sanitize large volumes of user-generated content without input validation or rate limiting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25887?
About the Fix from Resolved Security
This patch updates the logic for removing HTML comments from URLs to iteratively strip all comment patterns, handling nested or multiple comments that the original regex might miss. It fixes CVE-2022-25887 by reliably preventing attackers from bypassing URL sanitization using specially crafted comments, which could otherwise allow JavaScript injection.
Available Upgrade Options
- sanitize-html
- <2.7.1 → Upgrade to 2.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apostrophecms/sanitize-html/pull/557
- https://nvd.nist.gov/vuln/detail/CVE-2022-25887
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
- https://osv.dev/vulnerability/GHSA-cgfm-xwp7-2cvr
- https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
- https://github.com/apostrophecms/sanitize-html/pull/557
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102
- https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102
What are Similar Vulnerabilities to CVE-2022-25887?
Similar Vulnerabilities: CVE-2021-23377 , CVE-2020-28267 , CVE-2019-10741 , CVE-2018-16471 , CVE-2017-16016
