CVE-2024-21501 in sanitize-htmlinfo

Summary

by MITRE • 02/24/2024

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/26/2025

The vulnerability identified as CVE-2024-21501 affects the sanitize-html package, specifically versions prior to 2.12.1, presenting a significant information exposure risk when the package is deployed in backend environments with the style attribute permitted. This flaw represents a critical security weakness that enables unauthorized enumeration of system files and project dependencies through improper input sanitization. The vulnerability manifests when applications process user-supplied content that includes style attributes, creating an attack surface where malicious actors can probe the underlying file system structure.

The technical implementation of this vulnerability stems from insufficient validation and sanitization of CSS style attributes within the sanitize-html package. When the style attribute is allowed in the configuration, the package fails to properly restrict access to file system resources during the sanitization process. This occurs because the sanitization logic does not adequately filter or escape CSS properties that could reference external resources or internal file paths. The flaw allows attackers to craft malicious input that, when processed by the vulnerable package, reveals directory structures and file listings that should remain hidden from external access.

From an operational perspective, this vulnerability poses severe risks to backend systems that rely on sanitize-html for content filtering. Attackers can exploit the flaw to enumerate project dependencies, potentially gaining knowledge about the application stack, installed libraries, and system architecture. This information exposure enables more sophisticated attacks, as adversaries can use the gathered intelligence to identify potential targets for further exploitation or to craft more effective attack vectors against the system. The impact extends beyond simple file enumeration, as the exposed dependency information can reveal version numbers and known vulnerabilities in third-party components.

The vulnerability aligns with CWE-200, which addresses information exposure through improper error handling or insufficient access control. Additionally, this issue intersects with ATT&CK technique T1083, which covers directory and file system enumeration, and T1213, focusing on data from information repositories. Organizations using the sanitize-html package in backend contexts must consider this vulnerability as part of their broader attack surface assessment. The risk is particularly elevated in environments where the package processes untrusted input from multiple sources or where sensitive system information should remain protected from unauthorized access.

Mitigation strategies should prioritize immediate upgrade to sanitize-html version 2.12.1 or later, which addresses the information exposure vulnerability through enhanced input validation and proper restriction of file system access during CSS processing. Security teams should also implement additional controls such as restrictive Content Security Policy headers, input validation at multiple layers, and regular security scanning of dependencies. Organizations should conduct comprehensive reviews of their application configurations to ensure that the style attribute is not unnecessarily permitted in production environments, particularly in backend services where the risk of file system enumeration is highest. Regular monitoring and logging of sanitization activities can help detect potential exploitation attempts and provide early warning of unauthorized access attempts to system resources.

Responsible

Snyk

Reservation

12/22/2023

Disclosure

02/24/2024

Moderation

accepted

CPE

ready

EPSS

0.01018

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!