CVE-2023-22461: 
JavaScript vulnerability analysis and mitigation

The CVE-2023-22461 affects the sanitize-svg package, a small SVG sanitizer designed to prevent cross-site scripting attacks. The vulnerability was discovered in versions prior to 0.4.0, where the package used a deny-list pattern that failed to properly sanitize SVGs, potentially allowing cross-site scripting attacks. The issue was disclosed on January 4, 2023, and was subsequently patched in version 0.4.0 (GitHub Advisory).

The vulnerability stems from an incomplete deny-list pattern implementation that only checked for literal <script> tags and on-event handlers. The package failed to account for other methods of embedding JavaScript in XML files, such as anchor tags with javascript: URIs and foreign object tags. The CVSS v3.1 base score is 7.6 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (NVD).

Downstream software that relies on sanitize-svg and expects resulting SVGs to be safe may be vulnerable to cross-site scripting attacks. The vulnerability allows attackers to bypass the intended security measures and potentially execute malicious JavaScript code through specially crafted SVG files. At least one downstream project was confirmed to have security implications due to this vulnerability (GitHub Advisory).

The vulnerability was addressed in version 0.4.0 of the sanitize-svg package. Users should upgrade to this version or later to receive the security fix. No alternative workarounds are available (GitHub Advisory).