CVE-2023-22461

Name of the Vulnerable Software and Affected Versions sanitize-svg versions prior to 0.4.0

Description The sanitize-svg package uses a deny-list-pattern to sanitize SVGs and prevent cross-site scripting attacks. However, literal <script>-tags and on-event handlers were detected in versions prior to 0.4.0, which may make downstream software that relies on sanitize-svg vulnerable to cross-site scripting. This issue can be exploited through various means, including the use of Anchor Tag and Foreign Object Tag in XML files, allowing for JavaScript embedding. At least one downstream project has been affected by this vulnerability.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 to address the vulnerability. As a temporary workaround, consider disabling the use of sanitize-svg until the update is applied. Restrict access to SVG files sanitized by sanitize-svg to minimize the risk of exploitation. Avoid using the sanitize-svg package in sensitive applications until the issue is resolved.