Moderate severityOSV Advisory· Published Apr 22, 2020· Updated Aug 4, 2024

CVE-2020-7642

Description

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lazysizesnpm	< 5.2.1	5.2.1

Affected products

Afarkas/LazysizesOSV
Range: 0.1.0, 0.1.1, 0.1.2, …

Patches

3720ab826255

Video embed: test yt/vimeo id (fixes #764)

https://github.com/aFarkas/lazysizesAlexander FarkasApr 15, 2020via ghsa

commit

2 files changed · +14 −4

plugins/video-embed/ls.video-embed.js+13 −3 modified

@@ -27,6 +27,7 @@
 	var regId = /\{\{id}}/;
 	var regYtImg = /\{\{hqdefault}}/;
 	var regAmp = /^&/;
+	var regValidParam = /^[a-z0-9-_&=]+$/i;
 	var youtubeImg = protocol + '//img.youtube.com/vi/{{id}}/{{hqdefault}}.jpg';
 	var youtubeIframe = protocol + '//www.youtube.com/embed/{{id}}?autoplay=1';
 	var vimeoApi = protocol + '//vimeo.com/api/oembed.json?url=https%3A//vimeo.com/{{id}}';
@@ -64,6 +65,12 @@
 		var id = elem.getAttribute('data-vimeo');
 		var vimeoParams = elem.getAttribute('data-vimeoparams') || '';
 
+		elem.removeEventListener('click', embedVimeoIframe);
+
+		if (!id || !regValidParam.test(id) || (vimeoParams && !regValidParam.test(vimeoParams))) {
+			return;
+		}
+
 		if(vimeoParams && !regAmp.test(vimeoParams)){
 			vimeoParams = '&'+ vimeoParams;
 		}
@@ -74,7 +81,6 @@
 			'frameborder="0" allowfullscreen="" width="640" height="390"></iframe>'
 		;
 
-		elem.removeEventListener('click', embedVimeoIframe);
 	}
 
 	function embedYoutubeImg(id, elem){
@@ -89,6 +95,12 @@
 		var id = elem.getAttribute('data-youtube');
 		var youtubeParams = elem.getAttribute('data-ytparams') || '';
 
+		elem.removeEventListener('click', embedYoutubeIframe);
+
+		if (!id || !regValidParam.test(id) || (youtubeParams && !regValidParam.test(youtubeParams))) {
+			return;
+		}
+
 		if(youtubeParams && !regAmp.test(youtubeParams)){
 			youtubeParams = '&'+ youtubeParams;
 		}
@@ -98,8 +110,6 @@
 		elem.innerHTML = '<iframe src="' + (youtubeIframe.replace(regId, id)) + youtubeParams +'" ' +
 			'frameborder="0" allowfullscreen="" width="640" height="390"></iframe>'
 		;
-
-		elem.removeEventListener('click', embedYoutubeIframe);
 	}
 
 	document.addEventListener('lazybeforeunveil', function(e){

plugins/video-embed/ls.video-embed.min.js+1 −1 modified

@@ -1,2 +1,2 @@
 /*! lazysizes - v5.2.0 */
-!function(a,b){if(a){var c=function(){b(a.lazySizes),a.removeEventListener("lazyunveilread",c,!0)};b=b.bind(null,a,a.document),"object"==typeof module&&module.exports?b(require("lazysizes")):a.lazySizes?c():a.addEventListener("lazyunveilread",c,!0)}}("undefined"!=typeof window?window:0,function(a,b,c){"use strict";function d(c,d){var e="vimeoCallback"+j,f=b.createElement("script");c+="&callback="+e,j++,a[e]=function(b){f.parentNode.removeChild(f),delete a[e],d(b)},f.src=c,b.head.appendChild(f)}function e(a,b){d(p.replace(k,a),function(a){a&&a.thumbnail_url&&(b.style.backgroundImage="url("+a.thumbnail_url+")")}),b.addEventListener("click",f)}function f(a){var b=a.currentTarget,c=b.getAttribute("data-vimeo"),d=b.getAttribute("data-vimeoparams")||"";d&&!m.test(d)&&(d="&"+d),a.preventDefault(),b.innerHTML='<iframe src="'+q.replace(k,c)+d+'" frameborder="0" allowfullscreen="" width="640" height="390"></iframe>',b.removeEventListener("click",f)}function g(a,b){var d=b.getAttribute("data-thumb-size")||c.cfg.ytThumb||"hqdefault";b.style.backgroundImage="url("+n.replace(k,a).replace(l,d)+")",b.addEventListener("click",h)}function h(a){var b=a.currentTarget,c=b.getAttribute("data-youtube"),d=b.getAttribute("data-ytparams")||"";d&&!m.test(d)&&(d="&"+d),a.preventDefault(),b.innerHTML='<iframe src="'+o.replace(k,c)+d+'" frameborder="0" allowfullscreen="" width="640" height="390"></iframe>',b.removeEventListener("click",h)}if(b.getElementsByClassName){var i="https:"==location.protocol?"https:":"http:",j=Date.now(),k=/\{\{id}}/,l=/\{\{hqdefault}}/,m=/^&/,n=i+"//img.youtube.com/vi/{{id}}/{{hqdefault}}.jpg",o=i+"//www.youtube.com/embed/{{id}}?autoplay=1",p=i+"//vimeo.com/api/oembed.json?url=https%3A//vimeo.com/{{id}}",q=i+"//player.vimeo.com/video/{{id}}?autoplay=1";b.addEventListener("lazybeforeunveil",function(a){if(a.detail.instance==c){var b=a.target,d=b.getAttribute("data-youtube"),f=b.getAttribute("data-vimeo");d&&b&&g(d,b),f&&b&&e(f,b)}})}});
\ No newline at end of file
+!function(a,b){if(a){var c=function(){b(a.lazySizes),a.removeEventListener("lazyunveilread",c,!0)};b=b.bind(null,a,a.document),"object"==typeof module&&module.exports?b(require("lazysizes")):a.lazySizes?c():a.addEventListener("lazyunveilread",c,!0)}}("undefined"!=typeof window?window:0,function(a,b,c){"use strict";function d(c,d){var e="vimeoCallback"+j,f=b.createElement("script");c+="&callback="+e,j++,a[e]=function(b){f.parentNode.removeChild(f),delete a[e],d(b)},f.src=c,b.head.appendChild(f)}function e(a,b){d(q.replace(k,a),function(a){a&&a.thumbnail_url&&(b.style.backgroundImage="url("+a.thumbnail_url+")")}),b.addEventListener("click",f)}function f(a){var b=a.currentTarget,c=b.getAttribute("data-vimeo"),d=b.getAttribute("data-vimeoparams")||"";b.removeEventListener("click",f),c&&n.test(c)&&(!d||n.test(d))&&(d&&!m.test(d)&&(d="&"+d),a.preventDefault(),b.innerHTML='<iframe src="'+r.replace(k,c)+d+'" frameborder="0" allowfullscreen="" width="640" height="390"></iframe>')}function g(a,b){var d=b.getAttribute("data-thumb-size")||c.cfg.ytThumb||"hqdefault";b.style.backgroundImage="url("+o.replace(k,a).replace(l,d)+")",b.addEventListener("click",h)}function h(a){var b=a.currentTarget,c=b.getAttribute("data-youtube"),d=b.getAttribute("data-ytparams")||"";b.removeEventListener("click",h),c&&n.test(c)&&(!d||n.test(d))&&(d&&!m.test(d)&&(d="&"+d),a.preventDefault(),b.innerHTML='<iframe src="'+p.replace(k,c)+d+'" frameborder="0" allowfullscreen="" width="640" height="390"></iframe>')}if(b.getElementsByClassName){var i="https:"==location.protocol?"https:":"http:",j=Date.now(),k=/\{\{id}}/,l=/\{\{hqdefault}}/,m=/^&/,n=/^[a-z0-9-_&=]+$/i,o=i+"//img.youtube.com/vi/{{id}}/{{hqdefault}}.jpg",p=i+"//www.youtube.com/embed/{{id}}?autoplay=1",q=i+"//vimeo.com/api/oembed.json?url=https%3A//vimeo.com/{{id}}",r=i+"//player.vimeo.com/video/{{id}}?autoplay=1";b.addEventListener("lazybeforeunveil",function(a){if(a.detail.instance==c){var b=a.target,d=b.getAttribute("data-youtube"),f=b.getAttribute("data-vimeo");d&&b&&g(d,b),f&&b&&e(f,b)}})}});
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hg2p-2cvq-4ppvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-7642ghsaADVISORY
github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-LAZYSIZES-567144ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000