Cross-site Scripting (XSS) Affecting cheerio package, versions <=0.8.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:cheerio:20120311
  • published20 Oct 2016
  • disclosed11 Mar 2012
  • creditBen Atkin

Introduced: 11 Mar 2012

CVE NOT AVAILABLE CWE-79  (opens in a new tab)

How to fix?

Upgrade cheerio to version 0.9.0 or greater.

Overview

cheerio is an implementation of core jQuery designed specifically for the server. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via assigned attributes.

The vulnerability was reported by Ben Atkin

Example

When assigning attributes, there is no protection against XSS:

function xss() {
  var $ = require('cheerio').load('<a>GitHub</a>');
  $('a').attr('href', 'http://github.com/"><script>alert("XSS!")</script><br');
  return $.html();
}

xss() returns:

<a href = "http://github.com/"><script>alert("XSS!")</script><br">GitHub</a>

Details

<>

CVSS Scores

version 3.1