CVE-2024-34078

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-34078

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34078.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-34078

Aliases

GHSA-wvhx-q427-fgh3

Downstream

DEBIAN-CVE-2024-34078

DLA-3856-1

UBUNTU-CVE-2024-34078

Published

2024-05-06T14:48:47Z

Modified

2025-10-15T09:26:25.429488Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization

Details

html-sanitizer is an allowlist-based HTML cleaner. If using keep_typographic_whitespace=False (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.

References

Affected packages

Git / github.com/matthiask/html-sanitizer

Affected ranges

Type: GIT
Repo: https://github.com/matthiask/html-sanitizer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

024004d53f8322548ed98fbe640759667dc6fc64

Affected versions

1.*

1.0

1.1

1.1.2

1.1.3

1.1.4

1.2

1.2.1

1.3

1.4

1.5

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.7

1.7.1

1.7.2

1.7.3

1.8

1.9

1.9.1

1.9.2

1.9.3

2.*

2.0

2.1

2.2

2.3

2.3.1

2.4

2.4.1