7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29489

GHSA ID

GHSA-8j65-4pcq-xq95

EPSS Score

0.30842%

CWE

CWE-79

Published

5/6/2021

Updated

1/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29489

CVE-2021-29489: Options structure open to Cross-site Scripting if passed unfiltered

Impact

In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.

If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.

Patches

In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.

Workarounds

Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

Details on the improved Highcharts security
The AST and TextBuilder refactoring
The fix for prototype pollution

For more information

If you have any questions or comments about this advisory:

Visit our support page
For more Email us at security@highcharts.com

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29489

GHSA ID

GHSA-8j65-4pcq-xq95

EPSS Score

0.30842%

CWE

CWE-79

Published

5/6/2021

Updated

1/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
highcharts	npm	< 9.0.0	9.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized processing of the options structure. Key indicators are: 1) The 'useHTML' flag's direct DOM insertion path 2) Character replacement tricks implying text node injection vectors 3) The systemic lack of AST-based filtering pre-v9. The rendering layer's TextBuilder and core chart initialization would handle these untrusted inputs. While exact function names aren't explicitly listed in advisories, Highcharts' architecture and vulnerability patterns indicate these components as primary XSS injection points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *i*****rts v*rsions * *n* **rli*r, t** ***rt options stru*tur* w*s not syst*m*ti**lly *ilt*r** *or XSS v**tors. T** pot*nti*l imp**t w*s t**t *ont*nt *rom untrust** sour**s *oul* *x**ut* *o** in t** *n* us*r's *rows*r. *sp**i*lly w**n u

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** pro**ssin* o* t** options stru*tur*. K*y in*i**tors *r*: *) T** 'us**TML' *l**'s *ir**t *OM ins*rtion p*t* *) ***r**t*r r*pl***m*nt tri*ks implyin* t*xt no** inj**tion v**tors *) T** syst*mi* l**k o* *ST-**s**

7.6

Basic Information

Concerned about an active attack path?

CVE-2021-29489: Options structure open to Cross-site Scripting if passed unfiltered

Impact

Patches

Workarounds

References

For more information

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI