CVE-2024-21501
Information Exposure vulnerability in sanitize-html (npm)
What is CVE-2024-21501 About?
The `sanitize-html` package before version 2.12.1 is vulnerable to information exposure when used on the backend with the `style` attribute allowed. This can lead to an attacker enumerating files and dependencies on the system. Exploitation is relatively easy if the specific configuration is present.
Affected Software
Technical Details
The sanitize-html library, when configured to allow the style attribute and used in a backend context, can be exploited for information exposure. The vulnerability stems from how certain style properties or values, when rendered in specific environments (e.g., in error messages or by browser behavior if the sanitized output finds its way to a client), might expose file paths or details about project dependencies. An attacker can craft input HTML with a malicious style attribute that, when processed and subsequently rendered or logged, leaks system information.
What is the Impact of CVE-2024-21501?
Successful exploitation may allow attackers to gather sensitive details about the file system structure, installed dependencies, and other server-side information, which can aid in further, more targeted attacks.
What is the Exploitability of CVE-2024-21501?
Exploitation is dependent on the sanitize-html package being used on the backend with the style attribute explicitly allowed in its configuration. The attacker would need to provide input HTML content to the server where sanitation occurs. This typically implies unauthenticated remote access to an input field processed by the vulnerable component. No specific privileges are required. The complexity is low to moderate, as it largely depends on crafting specific style attribute values that trigger information disclosure. The risk is higher in applications that accept untrusted HTML input and employ this specific, vulnerable configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21501?
About the Fix from Resolved Security
This patch explicitly disables source map parsing by setting { map: false } when calling postcssParse on CSS in style attributes, preventing PostCSS from attempting to resolve sourceMappingURL directives. This fixes CVE-2024-21501 by eliminating a vector for path traversal or remote file inclusion attacks triggered by maliciously crafted style attributes referencing source maps.
Available Upgrade Options
- sanitize-html
- <2.12.1 → Upgrade to 2.12.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
- https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
- https://github.com/apostrophecms/sanitize-html
- https://osv.dev/vulnerability/GHSA-rm97-x556-q36h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
- https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
What are Similar Vulnerabilities to CVE-2024-21501?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-38686 , CVE-2022-0943 , CVE-2016-0792 , CVE-2015-3225
