GHSA-j92c-7v7g-gj3f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j92c-7v7g-gj3f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-j92c-7v7g-gj3f/GHSA-j92c-7v7g-gj3f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j92c-7v7g-gj3f
- Aliases
- Published
- 2026-02-03T19:22:06Z
- Modified
- 2026-02-05T00:55:18.316926Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- HtmlSanitizer has a bypass via template tag
- Details
-
Impact
If the
templatetag is allowed, its contents are not sanitized. Thetemplatetag is a special tag that does not usually render its contents, unless theshadowrootmodeattribute is set toopenorclosed.The lack of sanitization of the template tag brings up two bypasses:
- it is still possible to forcibly render the contents of a
<template>tag through mutation XSS. The DOM parsers in browsers such as Chromium have a node depth limit of 512 and tags which are beyond that depth are flattened. This in turn allows elements within<template>(which are not sanitized) to be effectively 'popped out'. An example would look like this:<div>[...]<template><script>alert('xss')</script>where[...]denotes at least another 509 opening<div>tags. - If in addition to the template tag, the
shadowrootmodeattribute is allowed throughsanitizer.AllowedAttributes.Add("shadowrootmode");, the simple payload of<div><template shadowrootmode="open"><script>alert('xss')</script>would bypass the sanitizer. This is because such usage of<template>attaches a shadow root to its parent:<div>, and its contents will be rendered.
Note that the default configuration is not affected because the
templatetag is disallowed by default.Patches
The problem has been patched in versions 9.0.892 and 9.1.893-beta.
Workarounds
Disallow the
templatetag. It is disallowed by default.Resources
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/template
- it is still possible to forcibly render the contents of a
- Database specific
{ "nvd_published_at": "2026-02-04T22:16:00Z", "cwe_ids": [ "CWE-116" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-03T19:22:06Z" }- References
-
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f
- https://nvd.nist.gov/vuln/detail/CVE-2026-25543
- https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81
- https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/template
- https://github.com/mganss/HtmlSanitizer
- https://github.com/mganss/HtmlSanitizer/releases/tag/v9.0.892
- https://www.nuget.org/packages/HtmlSanitizer/9.0.892
- https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta
Affected packages
NuGet / HtmlSanitizer
Package
- Name
- HtmlSanitizer
- View open source insights on deps.dev
- Purl
- pkg:nuget/HtmlSanitizer
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.0.892
Affected versions
1.*
1.0.4925.29815
1.0.4927.30873
1.1.5243.28448
1.1.5297.28403
1.1.5338.17998
2.*
2.0.5449.20550
2.0.5548.24932
2.0.5595.22183
2.0.5595.30325
2.0.5623.30465
2.0.5735.24296
3.*
3.0.66-beta
3.0.5781.31354-beta
3.1.67-beta
3.1.75-beta
3.1.76
3.1.79
3.1.91
3.1.93
3.1.98
3.2.96-beta
3.2.100-beta
3.2.103
3.2.105
3.3.122-beta
3.3.125-beta
3.3.126-beta
3.3.127-beta
3.3.128-beta
3.3.129-beta
3.3.130-beta
3.3.131-beta
3.3.132-beta
3.3.142
3.3.143-beta
3.3.144-beta
3.3.145-beta
3.3.146-beta
3.3.147-beta
3.3.148-beta
3.4.152-beta
3.4.156
3.5.168-beta
3.5.169-beta
4.*
4.0.179
4.0.180
4.0.181
4.0.182
4.0.183
4.0.185
4.0.187
4.0.197
4.0.199
4.0.201
4.0.204
4.0.205
4.0.207
4.0.210
4.0.217
5.*
5.0.215-beta
5.0.218-beta
5.0.250-beta
5.0.266-beta
5.0.274-beta
5.0.298
5.0.304
5.0.310
5.0.319
5.0.331
5.0.342
5.0.343
5.0.353
5.0.355
5.0.372
5.0.376
5.0.404
6.*
6.0.409-beta
6.0.423-beta
6.0.430-beta
6.0.437
6.0.441
6.0.453
7.*
7.0.470-beta
7.0.473
7.1.475
7.1.488
7.1.509
7.1.512
7.1.542
8.*
8.0.601
8.0.645
8.0.690-beta
8.0.691-beta
8.0.692
8.0.718
8.0.723
8.0.744
8.0.746
8.0.795
8.0.811
8.0.838
8.0.843
8.0.865
8.1.717-beta
8.1.719-beta
8.1.722-beta
8.1.745-beta
8.1.747-beta
8.1.748-beta
8.1.796-beta
8.1.812-beta
8.1.839-beta
8.1.844-beta
8.1.870
9.*
9.0.873
9.0.876
9.0.881
9.0.884
9.0.886
9.0.889
NuGet / HtmlSanitizer
Package
- Name
- HtmlSanitizer
- View open source insights on deps.dev
- Purl
- pkg:nuget/HtmlSanitizer