CVE-2021-26540: Improper Input Validation in sanitize-html
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51974%
CWE
Published
5/6/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sanitize-html | npm | < 2.3.2 | 2.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the core sanitizeHtml function's handling of iframe src attributes. The patch adds validation logic directly in this function to address improper input validation of protocol-relative URLs containing backslashes and whitespace. The function signature matches the main export of the package, and the evidence shows direct modification to the attribute processing path for iframe elements. The tests demonstrate exploitation occurs through this code path when processing malicious src values.