Cross-site Scripting (XSS)
Description
The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
@braintree/sanitize-url before 6.0.0 is vulnerable to XSS due to improper sanitization of HTML-encoded JavaScript URLs in the sanitizeUrl function.
Vulnerability
The package @braintree/sanitize-url versions before 6.0.0 contain a Cross-site Scripting (XSS) vulnerability in the sanitizeUrl function. The function fails to properly decode HTML entities before validating URLs, allowing attackers to bypass the sanitization logic using encoded JavaScript protocols [1][2][3].
Exploitation
An attacker can craft a URL with HTML-entity-encoded characters representing a javascript: protocol (e.g., javascript:alert('XSS')). When passed to sanitizeUrl in affected versions, the function does not decode these entities, and the resulting string is treated as a safe URL, allowing the javascript: protocol to remain. If the sanitized URL is then rendered in a browser, the encoded script executes [2].
Impact
Successful exploitation leads to Cross-site Scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to data theft, session hijacking, or defacement [1][2].
Mitigation
Upgrade to version 6.0.0 or higher of @braintree/sanitize-url, which includes proper HTML entity decoding before sanitization [2][3]. No other workarounds have been published.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@braintree/sanitize-urlnpm | < 6.0.0 | 6.0.0 |
Affected products
3- @braintree/sanitize-urldescription
- ghsa-coords2 versions
< 6.0.0+ 1 more
- (no CPE)range: < 6.0.0
- (no CPE)range: < 7.5.15-3.el8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-hqq7-2q2v-82xqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-23648ghsaADVISORY
- github.com/braintree/sanitize-url/blob/main/src/index.ts%23L11ghsax_refsource_MISCWEB
- github.com/braintree/sanitize-url/pull/40ghsax_refsource_MISCWEB
- github.com/braintree/sanitize-url/pull/40/commits/e5afda45d9833682b705f73fc2c1265d34832183ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQghsaWEB
- snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-2339882ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.