CVE-2024-21501 - "sanitize-html" Package Before 2.12.1 Exposes Sensitive Information Through Improper Style Attribute Sanitization

CVE-2024-21501 refers to a security vulnerability in the popular "sanitize-html" package, which is widely used in various web applications to sanitize user-input HTML content. This vulnerability affects versions prior to 2.12.1 and can lead to unintentional exposure of sensitive information, including the enumeration of files in the system and related project dependencies.

The vulnerability arises when the "sanitize-html" package is used in server-side applications with the style attribute allowed. In this situation, an attacker could potentially exploit this vulnerability to gather details about the targeted server's file system structure and dependencies.

In this long read post, we'll be taking a closer look at CVE-2024-21501, including a code snippet demonstrating the issue, links to original references, and further details on how this vulnerability can be exploited.

Code Snippet

Following is a simple Node.js web server using the "sanitize-html" package with the style attribute enabled:

const express = require('express');
const sanitizeHtml = require('sanitize-html');

const app = express();

app.post('/sanitize', (req, res) => {
    const sanitizedHtml = sanitizeHtml(req.body.html, {
        allowedTags: sanitizeHtml.defaults.allowedTags.concat(['style'])
    });

    res.send(sanitizedHtml);
});

app.listen(300, () => {
    console.log('Server listening on port 300');
});

A user could input the following malicious HTML and exploit the vulnerability by sending a POST request to the "/sanitize" endpoint:

<div style="background-image: url('file:///path/to/sensitive/file');"></div>

After HTML sanitization, the server would return the following HTML

<div style="background-image: url('file:///path/to/sensitive/file');"></div>

The server's response contains a potential path to a sensitive file, effectively exposing the file system structure to an attacker.

Original References

1. sanitize-html Package on npmjs
2. CVE-2024-21501 Summary on CVE Details
3. GitHub Repository of sanitize-html
4. sanitize-html PR with Fix

Exploit Details

An attacker could potentially exploit CVE-2024-21501 by crafting a malicious HTML payload that contains a path to a sensitive file and submits it to a server running a vulnerable version of the "sanitize-html" package. The response received from the server would then contain the information related to the file system structure and potentially sensitive files.

It is crucial for developers and system administrators to ensure they are using a version of the "sanitize-html" package that is not affected by this vulnerability, i.e., version 2.12.1 or later. The updated package properly disallows file:// URLs in sanitized HTML, preventing any exposure of sensitive information.

Conclusion

In conclusion, CVE-2024-21501 is a critical security vulnerability affecting versions of the "sanitize-html" package prior to 2.12.1. If left unpatched, this vulnerability could potentially lead to unauthorized access to sensitive information about the server's file system structure and installed project dependencies. To keep your server secure, it is crucial to ensure you are using version 2.12.1 or later of the "sanitize-html" package.

If you have any further questions about CVE-2024-21501, please feel free to reach out in the comments below or visit the provided reference links for more information.

Timeline

Published on: 02/24/2024 05:15:44 UTC
Last modified on: 03/06/2024 14:15:48 UTC