CVE-2022-0437 - DOM-Based Cross-site Scripting (XSS) in NPM Karma (Before v6.3.14)

On February 8, 2022, a vulnerability was publicly disclosed affecting Karma, a widely used JavaScript test runner for Node.js. The issue, identified as CVE-2022-0437, allows DOM-based Cross-site Scripting (XSS) attacks in Karma versions before 6.3.14. This post breaks down what happened, how it can be exploited, and what you should do about it—all in simple terms.

What Is Karma?

Karma is a test runner developed by the AngularJS team. Developers use it to run JavaScript tests across multiple browsers. Under the hood, Karma serves HTML files to browsers and reports test results. Since it often runs in developer machines and CI servers, it might appear less likely to be targeted, but this vulnerability shows risks are everywhere.

Description

The bug lies in the way Karma's browser client processes URLs, specifically how it uses elements of the URL or user-controlled input within the DOM, without proper sanitization or escaping. This opens the door for attackers to inject and execute arbitrary JavaScript in the context of the Karma web page.

From the official advisory

> Missing sanitization of user input allowed the injection and execution of arbitrary JavaScript code within the rendered Karma client web interface.

The Injection Point

The Karma web interface serves HTML pages to display test results. If you start Karma and visit http://localhost:9876/, the client-side JavaScript builds parts of the page using the URL or query parameters.

Crafting the Payload

An attacker could craft a specially formed URL containing a malicious script as a query parameter or document fragment. For example:

`

http://localhost:9876/?spec=

Execution

If the victim (often a developer running tests) is tricked into visiting this link (or if the URL is generated as part of build/test automation), the injected payload will execute in their browser, potentially allowing the attacker to steal cookies or hijack sessions.

Imagine a vulnerable snippet from Karma’s client code

// Hypothetical vulnerable code in karma/client/main.js

// The 'spec' param comes from the URL and is inserted into the page
const url = new URL(window.location);
const spec = url.searchParams.get('spec');
document.getElementById('results').innerHTML = spec; // BAD: Direct insertion!

If an attacker provides a value like <img src=x onerror=alert(1)>, arbitrary JavaScript code runs in your browser.

Visit

http://localhost:9876/?spec=<img%20src=x%20onerror=alert('XSS')>

You will see an alert pop up—this is your payload executing.

Why Does This Matter?

- Localhost Isn’t Safe: Many developers underestimate security risks on localhost, but opening up browsers (even in dev environments) to arbitrary code is always dangerous.
- Supply Chain: If you use Karma in CI, attackers could poison results or exfiltrate secrets if XSS is abused.

Update Karma to version 6.3.14 or later.

- The patch sanitizes input before rendering anything from the URL into the DOM.

Safe Code Example

// Use textContent instead of innerHTML, or apply sanitization
document.getElementById('results').textContent = spec; // Secure!

Or, sanitize using a library such as DOMPurify.

References

- CVE Details: CVE-2022-0437
- Karma Release v6.3.14
- GitHub PR: Sanitize inputs to prevent XSS
- DOMPurify (for sanitizing HTML)

Never trust input from URLs, even on localhost.

3. Review test and build systems for similar XSS risks—CI/CD tools are juicy targets!

Conclusion

CVE-2022-0437 is a great reminder: every tool in your stack needs to treat user (or URL) input carefully—even on development servers. Patch now, and keep your test runners and development tools up-to-date for everyone's safety.

Timeline

Published on: 02/05/2022 02:15:00 UTC
Last modified on: 02/10/2022 13:59:00 UTC