CVE-2023-49146 in DOMSanitizer
Summary
by MITRE • 11/23/2023
DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2025
The DOMSanitizer library vulnerability CVE-2023-49146 represents a critical cross-site scripting weakness in versions prior to 1.0.7 that stems from improper handling of SVG document comments and overly aggressive regular expression patterns. This vulnerability specifically affects applications that rely on the dom-sanitizer package to sanitize html content containing svg elements, creating a dangerous attack surface where malicious actors can inject persistent XSS payloads through carefully crafted svg comments. The flaw exists within the library's content sanitization logic where comments within svg documents are not properly stripped or escaped, allowing attackers to inject malicious javascript code that executes in the context of the victim's browser.
The technical implementation of this vulnerability involves the library's use of greedy regular expressions that fail to account for comment structures within svg content. When processing svg documents, the sanitizer employs regex patterns that match too broadly, capturing comment sections that contain malicious payloads. This behavior violates the fundamental security principle of least privilege and proper input validation. The vulnerability aligns with CWE-79 which describes improper neutralization of input during web page generation, specifically in the context of HTML sanitization. The greedy regex matching pattern creates a classic buffer over-read scenario where comment content extends beyond intended boundaries, allowing arbitrary code execution.
From an operational impact perspective, this vulnerability enables attackers to execute persistent XSS attacks against users who view sanitized svg content, potentially leading to session hijacking, credential theft, or full system compromise. The attack vector requires minimal privileges as users only need to access svg content that gets processed through the vulnerable sanitizer. This weakness particularly affects web applications that process user-generated svg content, content management systems, and any platform that renders svg graphics from untrusted sources. The vulnerability can be exploited through various attack techniques including but not limited to those categorized under ATT&CK technique T1566.001 which covers spearphishing attachments, as malicious svg files can be embedded in email attachments or web content.
Organizations should immediately upgrade to DOMSanitizer version 1.0.7 or later where the vulnerability has been patched through improved comment handling and refined regular expression patterns that properly account for svg comment structures. Additional mitigations include implementing strict content security policies, using a web application firewall to filter svg content, and conducting regular security assessments of third-party libraries. The patch addresses the root cause by implementing more precise regex matching that does not consume comment content beyond its intended scope, thereby preventing the injection of malicious code through comment sections. Security teams should also consider implementing automated dependency monitoring to detect vulnerable library versions and establish incident response procedures for potential exploitation attempts.