Miggo Logo
Miggo Vulnerability Database
CVE-2022-21169

CVE-2022-21169: express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-21169
GHSA ID
GHSA-grjp-4jmr-mjcw
EPSS Score
0.2488%
CWE
CWE-1321
Published
9/27/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
express-xss-sanitizernpm< 1.1.31.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper prototype pollution protections in options handling. The pre-patch code in lib/sanitize.js checked 'if (Array.isArray(options.allowedTags)...' without first verifying the property exists directly on the options object using Object.hasOwn(). This allowed attackers to pollute Object.prototype.allowedTags to bypass sanitization. The commit added Object.hasOwn() checks to prevent prototype chain pollution, confirming this was the vulnerable function. The added test case demonstrates prototype pollution via Object.prototype.allowedTags manipulation that was possible before this fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *xpr*ss-xss-s*nitiz*r ***or* *.*.* is vuln*r**l* to Prototyp* Pollution vi* t** `*llow**T**s` *ttri*ut*, *llowin* t** *tt**k*r to *yp*ss xss s*nitiz*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r prototyp* pollution prot**tions in options **n*lin*. T** pr*-p*t** *o** in li*/s*nitiz*.js ****k** 'i* (*rr*y.is*rr*y(options.*llow**T**s)...' wit*out *irst v*ri*yin* t** prop*rty *xists *ir**tly on t** options o