CVE-2021-23980: Mutation XSS Vulnerability in Bleach.clean with Custom Allowed Tags

A new mutation XSS vulnerability labeled as CVE-2021-23980 has been identified in the Bleach library. The vulnerability affects users who call bleach.clean with specific custom values for allowed tags and the strip_comments keyword argument set to False. This post aims to provide details about the vulnerability, the code snippet with custom values triggering the vulnerability, how to exploit it, and references to original resources.

Prerequisites

To better understand the situation, it is essential to know that the bleach.clean function is commonly used for sanitizing input in web applications by removing or escaping undesirable HTML tags and attributes, which prevents Cross-site Scripting (XSS) attacks. However, when users define custom allowed tags that include a specific combination, they may inadvertently make the application vulnerable.

the keyword argument strip_comments=False

It is important to note that none of these tags are part of the default allowed tags in Bleach, and the strip_comments keyword argument defaults to True. Thus, using the default configuration will not expose the vulnerability.

Exploit details

To demonstrate the vulnerability, let's consider the following code snippet where a user defines a custom set of allowed tags mentioned earlier, and the strip_comments is set to False.

import bleach

html = "<svg><!--<img -->onload=alert(1)<!-- > -->"
custom_allowed_tags = ['svg', 'math', 'p', 'br', 'style', 'script', 'title', 'noscript', 'textarea',
                       'noframes', 'iframe', 'xmp']

cleaned_html = bleach.clean(html, tags=custom_allowed_tags, strip_comments=False)
print(cleaned_html)

After running the code, the output will be as follows

<svg><!--<img -->onload=alert(1)<!-- > --></svg>

As you can see, the cleaned HTML output still contains the embedded JavaScript, which can be executed on the client-side, potentially leading to an XSS attack.

To mitigate this vulnerability, users can take the following actions

1. Always use the default allowed tags provided by Bleach, or be cautious when defining custom allowed tags.

Ensure that strip_comments is either set to True or omitted (as it defaults to True).

3. Regularly update the Bleach library to the latest version, as the developers may release patches to address potential vulnerabilities.

For more information on CVE-2021-23980, consult the following sources

1. CVE-2021-23980 - Mutation XSS via MathML in Bleach
2. Bleach Documentation

Please keep in mind that security is a dynamic field, and vulnerabilities may arise over time. Stay informed and up-to-date on security best practices to minimize risks in your application.

Timeline

Published on: 02/16/2023 22:15:00 UTC
Last modified on: 02/27/2023 15:19:00 UTC