CVE-2021-32696

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32696

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32696.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32696

Aliases

GHSA-qxg5-2qff-p49r

Related

GHSA-qxg5-2qff-p49r

Published

2021-06-18T20:15:07.633Z

Modified

2025-11-20T11:46:23.661010Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

References

Affected packages

Git / github.com/ericnorris/striptags

Affected ranges

Type: GIT
Repo: https://github.com/ericnorris/striptags
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f252a6b0819499cd65403707ebaf5cc925f2faca

Affected versions

v1.*

v1.0.0

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.1.0

v2.1.1

v2.1.2

v2.2.1

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.1.1