VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 30, 2018· Updated Sep 16, 2024

CVE-2018-3773

CVE-2018-3773

Description

Metascraper npm module <=3.9.2 stores unsanitized Open Graph meta properties, leading to stored XSS when rendered by a consumer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Metascraper npm module <=3.9.2 stores unsanitized Open Graph meta properties, leading to stored XSS when rendered by a consumer.

Vulnerability

The metascraper npm module (library for extracting unified metadata from websites) versions up to and including 3.9.2 suffer from a stored Cross-Site Scripting (XSS) vulnerability [1]. The bug resides in how Open Graph meta properties are read and stored without escaping HTML content. When a malicious page provides crafted Open Graph tags (e.g., og:title, og:description), the extracted metadata retains the raw, unsanitized HTML. Any downstream application that renders the scraped metadata without additional escaping will execute the injected script. The vulnerability affects all consumers of metascraper <=3.9.2 [2].

Exploitation

An attacker needs to host a web page containing malicious JavaScript embedded within Open Graph meta property values (for example, ` in og:title). A victim application using metascraper` <=3.9.2 to scrape metadata from user-supplied URLs will extract the unsanitized payload. If the application later renders that metadata (e.g., in a web interface or an API response consumed by a browser), the stored malicious script executes. No authentication or special network position is required beyond the ability to make the victim application scrape the attacker's controlled URL [1][2].

Impact

Successful exploitation results in stored XSS within the context of the scraping application. An attacker can execute arbitrary JavaScript in the browser of any user who views the scraped metadata. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker gains the same privileges as the authenticated user viewing the infected metadata page [1][3].

Mitigation

The vulnerability is fixed in metascraper version 3.9.3 [2]. The fix adds an escape parameter that HTML-escapes data by default. Users should upgrade to metascraper >=3.9.3. If upgrading immediately is not possible, applications consuming metascraper output must sanitize all scraped string values before rendering them in HTML or browser contexts. No known KEV listing exists as of the publication date [1][2][3].

References
  1. GitHub - microlinkhq/metascraper: Get unified metadata from websites using Open Graph, Microdata, RDFa, Twitter Cards, JSON-LD, HTML, and more.
  2. Add escape parameter to escape html data by default by twogood · Pull Request #169 · microlinkhq/metascraper
  3. NVD - CVE-2018-3773

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
metascrapernpm
< 5.2.05.2.0

Affected products

2
  • ghsa-coords
    pkg:npm/metascraper
    Range: < 5.2.0
  • https://github.com/microlinkhq/metascraperv5
    Range: Not fixed

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.