CVE-2020-6816
Description
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bleachPyPI | < 3.1.2 | 3.1.2 |
Affected products
5- Range: 0.1.2, 0.2.0, 0.2.1, …
- ghsa-coords4 versionspkg:pypi/bleachpkg:rpm/opensuse/python-bleach&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-bleach&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-bleach&distro=SUSE%20Package%20Hub%2015%20SP2
< 3.1.2+ 3 more
- (no CPE)range: < 3.1.2
- (no CPE)range: < 3.1.5-lp152.2.3.1
- (no CPE)range: < 6.1.0-1.5
- (no CPE)range: < 3.1.5-bp152.2.4.1
Patches
Vulnerability mechanics
Root cause
"Bleach's HTML parser does not match browser behavior when parsing RCDATA content embedded inside MathML or SVG tags, allowing mutation XSS."
Attack vector
An attacker crafts HTML containing a `math` or `svg` tag that embeds an RCDATA tag (e.g., `script` or `style`) with a malicious payload. The attacker must ensure that the application calls `bleach.clean` with `strip=False` and that both the `math`/`svg` tag and at least one RCDATA tag are in the allowed tags whitelist. Because Bleach's parser does not treat the embedded RCDATA content the same way a browser does, the payload is not escaped and executes as JavaScript when the sanitized output is rendered [patch_id=1666590].
Affected code
The vulnerability resides in the `bleach.clean` function's handling of embedded MathML and SVG content containing RCDATA tags. When `strip=False` and RCDATA tags such as `script`, `style`, or `iframe` are whitelisted alongside `math` or `svg`, the parser does not match browser behavior, allowing malicious content to survive sanitization.
What the fix does
The patch updates the version to 3.1.2 and documents the security fix in the changelog [patch_id=1666590]. While the diff shown is limited to version metadata, the accompanying advisory indicates that the fix corrects how `bleach.clean` parses embedded MathML and SVG content containing RCDATA tags so that it matches browser parsing behavior. This closes the mutation XSS by ensuring that RCDATA content inside `math`/`svg` tags is properly escaped or stripped rather than being treated as raw HTML.
Preconditions
- configThe application must call bleach.clean with strip=False
- configBoth math or svg tags and at least one RCDATA tag (script, noscript, style, noframes, iframe, noembed, or xmp) must be in the allowed tags whitelist
- inputAn attacker must be able to supply HTML input to bleach.clean
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-m6xf-fq7q-8743ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-6816ghsaADVISORY
- advisory.checkmarx.net/advisory/CX-2020-4277ghsax_refsource_MISCWEB
- github.com/mozilla/bleach/releases/tag/v3.1.2ghsaWEB
- github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-28.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5ghsaWEB
- www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleachghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.