CVE-2024-21501
Description
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
sanitize-html before 2.12.1 allows file enumeration via crafted style attributes with sourceMappingURL, exposing server file system structure.
Vulnerability
Description
The sanitize-html library before version 2.12.1 is vulnerable to information exposure when used on the backend with the style attribute allowed. The root cause is that the library passes style attribute values directly to PostCSS for parsing without disabling source map processing [3]. This allows an attacker to embed CSS source mapping URLs (e.g., /*# sourceMappingURL=... */) within style attributes, causing PostCSS to attempt to resolve the source map file path.
Exploitation
An attacker must be able to submit HTML that is sanitized by the library on the server side, with the style attribute allowed (e.g., via allowedAttributes configuration). By crafting a style attribute containing a sourceMappingURL pointing to a file path (e.g., ./node_modules/sanitize-html/index.js), the attacker can determine whether that file exists based on differences in the sanitized output [4]. The fix introduced in version 2.12.1 adds the { map: false } option to the postcssParse call to prevent this behavior [3].
Impact
Successful exploitation allows an attacker to enumerate files on the server file system, including project dependencies. This reveals the directory structure and the presence of specific files, potentially aiding further attacks or information gathering [1][2]. The vulnerability does not allow direct file disclosure beyond existence checks.
Mitigation
Users should upgrade sanitize-html to version 2.12.1 or higher. The repository has been archived and is read-only as of February 2026 [2], so no further patches will be issued. No workaround is available if the style attribute must be allowed; upgrading is the only solution [4].
- NVD - CVE-2024-21501
- GitHub - apostrophecms/sanitize-html: Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
- Merge pull request #650 from dylanarmstrong/fix/ignore-source-maps · apostrophecms/sanitize-html@c5dbdf7
- Snyk Vulnerability Database | Snyk
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sanitize-htmlnpm | < 2.12.1 | 2.12.1 |
Affected products
2- Range: 0
Patches
1c5dbdf77fe8bMerge pull request #650 from dylanarmstrong/fix/ignore-source-maps
3 files changed · +11 −1
CHANGELOG.md+2 −0 modified@@ -6,6 +6,8 @@ - Clarified the use of SVGs with a new test and changes to documentation. Thanks to [Gauav Kumar](https://github.com/gkumar9891) for the contribution. +- Do not process source maps when processing style tags with PostCSS. + ## 2.11.0 (2023-06-21) - Fix to allow `false` in `allowedClasses` attributes. Thanks to [Kevin Jiang](https://github.com/KevinSJ) for this fix!
index.js+1 −1 modified@@ -453,7 +453,7 @@ function sanitizeHtml(html, options, _recursing) { if (a === 'style') { if (options.parseStyleAttributes) { try { - const abstractSyntaxTree = postcssParse(name + ' {' + value + '}'); + const abstractSyntaxTree = postcssParse(name + ' {' + value + '}', { map: false }); const filteredAST = filterCss(abstractSyntaxTree, options.allowedStyles); value = stringifyStyleAttributes(filteredAST);
test/test.js+8 −0 modified@@ -1659,5 +1659,13 @@ describe('sanitizeHtml', function() { } }), '<svg viewBox="0 0 10 10" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="myGradient" gradientTransform="rotate(90)"><stop offset="5%" stop-color="gold"></stop><stop offset="95%" stop-color="red"></stop></linearGradient></defs><circle cx="5" cy="5" r="4" fill="url(\'#myGradient\')"></circle></svg>'); }); + it('should not process style sourceMappingURL with postCSS', () => { + assert.equal(sanitizeHtml('<a style=\'background-image: url("/*# sourceMappingURL=../index.js */");\'></a>', { + allowedAttributes: { + ...sanitizeHtml.defaults.allowedAttributes, + a: [ 'style' ] + } + }), '<a style="background-image:url("/*# sourceMappingURL=../index.js */")"></a>'); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-rm97-x556-q36hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21501ghsaADVISORY
- gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cfghsaWEB
- github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4ghsaWEB
- github.com/apostrophecms/sanitize-html/pull/650ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4SghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557ghsaWEB
- security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/mitre
News mentions
0No linked articles in our index yet.