agentggagentgg
Back to all findings
MEDIUMconfirmedvulnerable-dependencyknown-cve-version-pin5d8d3f55bfbf

sanitize-html pinned to 1.4.2 — multiple XSS bypass CVEs

sanitize-html is pinned to 1.4.2, a version vulnerable to several documented XSS sanitizer-bypass advisories fixed in 1.20.x / 2.x.

Filepackage.json
Lines133133
Confidence
90%
File statusvalidated
Details

The manifest contains:

"sanitize-html": "1.4.2",

1.4.2 is from 2016 and pre-dates the fixes for, among others, CVE-2021-26539 / CVE-2021-26540 (XSS via crafted style/transformTags handling) as well as numerous postMessage/img-src bypasses. The current maintained line is 2.x. Pinning to an exact pre-fix version with no caret guarantees the vulnerable build is installed even after npm update.

Proof of concept
  1. Feed sanitize-html an input such as <a href="javascript:alert(1)">x</a> variants with mixed case / null bytes / &#x3a; encodings.
  2. Multiple historical PoCs bypass 1.4.2's allowlist and emit executable HTML.
  3. Render the output in a browser — script executes.
Impact

Stored or reflected XSS wherever user-controlled HTML is run through this sanitizer, affecting all visitors of the rendered content. Unauthenticated triggerable on any sanitized-input endpoint.

Validation
confirmed

The package.json line "sanitize-html": "1.4.2" is an exact-version pin (no caret/tilde) to a 2016 release that predates numerous fixed XSS sanitizer-bypass advisories (CVE-2021-26539, CVE-2021-26540, and earlier allowlist/style-handling bypasses fixed in 1.20.x and 2.x). Since sanitize-html's purpose is to neutralize untrusted HTML before rendering, using a pre-fix build means crafted payloads can pass through and execute in the browser. The scope explicitly forbids downgrading findings because Juice Shop is intentionally vulnerable, so the known-vulnerable-version finding stands on technical merit.

CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base score: 6.1 · MEDIUM

The "sanitize-html": "1.4.2" pin in package.json installs a 2016 build that pre-dates fixes for documented bypass CVEs (e.g. CVE-2021-26539/26540), so attacker-supplied HTML routed through it can emit javascript: URIs and other executable constructs. The finding states the sanitizer is reachable on unauthenticated sanitized-input endpoints, so PR:N and AV:N apply; exploitation requires a victim to render the output in a browser, so UI:R. Successful XSS executes script in the victim's browser origin — a different security authority than the Node sanitizer component — justifying Scope:C, with typical XSS impact of limited confidentiality (session/DOM theft) and integrity (DOM/UI tampering) and no direct availability impact.

References