CVE-2022-21169: express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.2488%
CWE
Published
9/27/2022
Updated
1/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| express-xss-sanitizer | npm | < 1.1.3 | 1.1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper prototype pollution protections in options handling. The pre-patch code in lib/sanitize.js checked 'if (Array.isArray(options.allowedTags)...' without first verifying the property exists directly on the options object using Object.hasOwn(). This allowed attackers to pollute Object.prototype.allowedTags to bypass sanitization. The commit added Object.hasOwn() checks to prevent prototype chain pollution, confirming this was the vulnerable function. The added test case demonstrates prototype pollution via Object.prototype.allowedTags manipulation that was possible before this fix.