CVE-2018-1000160

Vulnerability

RisingStack protect version 1.2.0 and earlier contains a Cross-Site Scripting (XSS) vulnerability in the isXss() function within lib/rules/xss.js. The function uses two regular expressions (xssSimple and xssImgSrc) to detect XSS strings, but these regex patterns fail to catch at least 26 documented XSS attack vectors [1]. The affected package is meant to provide proactive protection against common security issues, yet the insufficient regex logic allows dangerous XSS payloads to be incorrectly validated as safe [3][4].

Exploitation

An attacker can craft any of the 26 XSS strings detailed in the GitHub issue #16 (e.g., using `, , , or event handler attributes) that bypasses the regex-based checks in isXss(). The attacker does not require special authentication; if the application uses the isXss()` function to sanitize user-supplied input before rendering it on a page, the malicious string will be treated as safe and subsequently rendered in a victim’s browser [1][2][3].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript or HTML into the context of a victim’s browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The compromise occurs at the same privilege level as the affected web application, without requiring any additional permissions [1][4].

Mitigation

No patched version of @risingstack/protect has been released; the package is effectively unmaintained and no fix is available [4]. The only reliable mitigation is to stop using the isXss() function for HTML sanitization and instead adopt proper output escaping or a dedicated, well-tested XSS prevention library (e.g., using HTML entity encoding) as advised in reference [3]. Users of the RisingStack protect package should consider replacing it with an actively maintained alternative [3][4].