CVE-2022-28366
Description
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Neko-based HTML parsers vulnerable to DoS via crafted Processing Instruction input; fixed in HtmlUnit-Neko 2.27 and AntiSamy 1.6.6.
Vulnerability
The vulnerability is a denial of service flaw in Neko-based HTML parsers due to excessive heap memory consumption when processing crafted Processing Instruction (PI) input. Affected products include HtmlUnit-Neko through version 2.26, CyberNeko HTML through version 1.9.22, and OWASP AntiSamy before version 1.6.6 [2]. The issue is fixed in HtmlUnit-Neko 2.27 [3] and AntiSamy 1.6.6 [4]. CyberNeko HTML 1.9.22 is the final release and is no longer maintained.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted Processing Instruction (PI) input to an application that uses an affected parser. No authentication is required; the attacker can trigger the denial of service remotely by sending malicious data to the parser. The processing of the crafted PI causes uncontrolled heap memory allocation, leading to resource exhaustion.
Impact
Successful exploitation results in a denial of service condition. The targeted application may become unresponsive or crash due to excessive heap memory consumption. The impact is limited to availability; no confidentiality or integrity compromise is described.
Mitigation
Users should upgrade to the patched versions: HtmlUnit-Neko version 2.27 or later [3]; OWASP AntiSamy version 1.6.6 or later [4]. For CyberNeko HTML, no further updates are available as version 1.9.22 is the last release; users are advised to migrate to an actively maintained fork such as HtmlUnit-Neko. The fix was released on April 21, 2022 in HtmlUnit-Neko 2.27.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sourceforge.htmlunit:neko-htmlunitMaven | < 2.27 | 2.27 |
Affected products
5- Neko/Neko HTML parsersdescription
- Range: <=1.9.22
- Range: <1.6.6
Patches
199b1143bd221Mention new security issues fixed in 1.6.6 release.
1 file changed · +2 −0
SECURITY.md+2 −0 modified@@ -31,3 +31,5 @@ These are the known CVEs reported for AntiSamy: * AntiSamy CVE #1 - CVE-2016-10006: XSS Bypass in AntiSamy before v1.5.5 - https://www.cvedetails.com/cve/CVE-2016-10006 * AntiSamy CVE #2 - CVE-2017-14735: XSS via HTML5 Entities in AntiSamy before v1.5.7 - https://www.cvedetails.com/cve/CVE-2017-14735 * AntiSamy CVE #3 - CVE-2021-35043: XSS via HTML attributes using : as replacement for : character before v1.6.4 - https://www.cvedetails.com/cve/CVE-2021-35043 +# AntiSamy CVEs #4 & #5 - We don't have CVEs yet for these. A vulnerability in a dependency was also found at the same time and fixed by upgrading to a fixed version of that dependency. +
Vulnerability mechanics
Root cause
"Unbounded heap memory allocation when parsing crafted Processing Instruction (PI) input in Neko HTML parsers."
Attack vector
An attacker sends a crafted HTML document containing a malicious Processing Instruction (PI) payload to an application using the vulnerable Neko HTML parser. The parser enters an inefficient code path that allocates excessive heap memory for each PI token, leading to uncontrolled memory consumption. No authentication or special privileges are required; the attacker only needs to deliver the payload via any channel the parser processes (e.g., HTTP request body, file upload). This results in a denial of service due to heap exhaustion [patch_id=1641623].
Affected code
The vulnerability exists in the Neko HTML parser's handling of Processing Instruction (PI) input. The patch modifies the `HtmlUnit-Neko` and `CyberNeko HTML` parser code to address excessive heap memory consumption when parsing crafted PI content [patch_id=1641623]. The specific code path involves the parser's processing instruction state machine logic.
What the fix does
The patch [patch_id=1641623] modifies the processing instruction parsing logic to limit memory allocation. While the exact diff is not fully shown, the fix addresses the unbounded heap allocation triggered by crafted PI input. By constraining how the parser handles processing instruction content, the patch prevents the excessive memory consumption that previously allowed a denial of service.
Preconditions
- configThe target application must use a vulnerable version of HtmlUnit-Neko (through 2.26) or CyberNeko HTML (through 1.9.22) to parse attacker-supplied HTML.
- inputThe attacker must be able to deliver a crafted HTML document containing a malicious Processing Instruction (PI) to the parser.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-g9hh-vvx3-v37vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28366ghsaADVISORY
- github.com/nahsra/antisamy/releases/tag/v1.6.6ghsax_refsource_MISCWEB
- search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunitghsax_refsource_MISCWEB
- sourceforge.net/projects/htmlunit/files/htmlunit/2.27ghsaWEB
- sourceforge.net/projects/htmlunit/files/htmlunit/2.27/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.