CVE-2022-48345 in sanitize-urlinfo

Summary

by MITRE • 02/24/2023

sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/05/2025

The vulnerability identified as CVE-2022-48345 affects the sanitize-url package, specifically versions prior to 6.0.2, and represents a cross-site scripting vulnerability that arises from insufficient handling of HTML entities within URL sanitization processes. This package, commonly known as @braintree/sanitize-url, is widely used in web applications to clean and validate URLs, particularly in environments where user-provided input must be processed safely. The flaw manifests when the sanitization function fails to properly escape or remove HTML entities that could be embedded within URLs, allowing malicious actors to inject harmful scripts or content that bypass the intended security measures.

The technical root cause of this vulnerability lies in the package's inadequate filtering of HTML entities during URL processing, which creates a pathway for attackers to inject malicious payloads through carefully crafted URLs containing encoded characters such as ampersands, quotes, or other HTML escape sequences. When these malformed URLs are processed by the vulnerable version of sanitize-url, the HTML entities are not properly sanitized, leading to potential XSS execution in contexts where the sanitized URLs are later rendered in web browsers. This behavior directly violates the fundamental security principle that input validation should prevent malicious content from being interpreted as executable code rather than plain text.

The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable attackers to execute arbitrary JavaScript within the context of a victim's browser session, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability is particularly concerning because it affects a widely-used package that many developers rely on for URL sanitization, meaning that applications using vulnerable versions could be exposed to XSS attacks without the developers being aware of the specific security gap. This creates a significant risk in environments where user input is processed and sanitized before being stored or displayed, as the sanitization process itself becomes a vector for attack.

Security practitioners should immediately update to sanitize-url version 6.0.2 or later, which includes proper handling of HTML entities within the sanitization process. The fix typically involves implementing more robust input validation that either removes or properly encodes HTML entities before processing URLs, ensuring that potentially dangerous sequences are neutralized. Organizations should also conduct comprehensive audits of their codebases to identify any other instances where this package is used, particularly in contexts involving user-provided URLs or dynamic content rendering. From an ATT&CK framework perspective, this vulnerability maps to techniques involving server-side request forgery and cross-site scripting, while the CWE classification would likely fall under CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The vulnerability demonstrates how seemingly benign input sanitization functions can become attack vectors when they fail to properly account for all possible encoding methods that attackers might utilize to bypass security controls.

Reservation

02/24/2023

Disclosure

02/24/2023

Moderation

accepted

CPE

ready

EPSS

0.00560

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!