remark-html
Corrigido em
14.0.1
13.0.3
13.0.2
CVE-2021-39199 is a critical Cross-Site Scripting (XSS) vulnerability affecting the remark-html Node.js package. This vulnerability allows attackers to inject arbitrary HTML, potentially leading to malicious script execution within a user's browser. The issue stems from a misconfiguration where the package was not safe by default, and the implementation did not match the documentation. Affected versions include those prior to 13.0.2 and 14.0.1; patching is available.
The impact of CVE-2021-39199 is significant due to the potential for arbitrary HTML injection. An attacker could inject malicious scripts into a website or application using remark-html, leading to various consequences. These include stealing user credentials, redirecting users to phishing sites, defacing the website, or even gaining control of the user's session. The ability to inject arbitrary HTML bypasses intended sanitization measures, making it a high-risk vulnerability. This vulnerability is particularly concerning as it was previously believed to be safe by default, leading to widespread, potentially unpatched deployments.
Public proof-of-concept exploits for CVE-2021-39199 are likely to emerge given the ease of exploitation and the critical severity. While no active exploitation campaigns have been publicly confirmed as of this writing, the vulnerability's simplicity and potential impact make it a prime target. The vulnerability was disclosed on September 7, 2021, and is not currently listed on CISA KEV.
Applications and websites built with Node.js that utilize the remark-html package, particularly those relying on the default configuration without explicit sanitization, are at risk. This includes content management systems (CMS) and static site generators that integrate remark-html for HTML processing.
• nodejs / supply-chain:
npm list remark-html• nodejs / supply-chain:
npm audit remark-html• generic web:
Inspect website source code for instances of remark-html usage and verify the sanitize: true option is being used if running an older, vulnerable version.
disclosure
Status do Exploit
EPSS
0.33% (percentil 56%)
Vetor CVSS
The primary mitigation for CVE-2021-39199 is to upgrade to version 13.0.2 or 14.0.1 of the remark-html package. These versions address the vulnerability by making the package safe by default and aligning the implementation with the documentation. For users unable to immediately upgrade, a temporary workaround is to explicitly enable sanitization by passing the sanitize: true option to the remarkHtml function. This will prevent the injection of malicious HTML. After upgrading, confirm the fix by attempting to inject HTML payloads and verifying they are properly sanitized.
Actualice a la versión 13.0.2 o superior, o a la versión 14.0.1 o superior. Si no puede actualizar, pase la opción `sanitize: true` al usar `remark-html` para habilitar el saneamiento de la entrada del usuario.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2021-39199 is a critical XSS vulnerability in the remark-html Node.js package, allowing arbitrary HTML injection due to a misconfigured default setting.
You are affected if you are using remark-html versions prior to 13.0.2 or 14.0.1 and have not implemented the workaround.
Upgrade to version 13.0.2 or 14.0.1. Alternatively, use the {sanitize: true} option in older versions.
While no confirmed active exploitation campaigns are public, the vulnerability's ease of exploitation makes it a potential target.
Refer to the package's release notes and documentation for details on the fix and mitigation strategies.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.