CVE-2024-21501: 
JavaScript vulnerability analysis and mitigation

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed. The vulnerability was discovered in February 2024 and affects the sanitize-html package's file system information handling (Snyk Security). The vulnerability was assigned CVE-2024-21501 and has a CVSS v3.1 base score of 5.3 (Medium) (NVD).

The vulnerability occurs when the sanitize-html package is used on the backend with the style attribute allowed. The issue allows enumeration of files in the system, including project dependencies, through differences in how the package processes existing versus non-existing files. When a file actually exists on the server and is not a valid source map, the style attribute is not received; otherwise, it is received (GitHub Gist).

An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. This information disclosure could potentially be used for further targeted attacks by revealing sensitive information about the server's file system layout (NVD).

The recommended mitigation is to upgrade sanitize-html to version 2.12.1 or higher, which includes a fix for this vulnerability. The fix prevents the information disclosure by ignoring source maps when processing with PostCSS (GitHub PR).

The vulnerability was responsibly disclosed and addressed by the maintainers of the sanitize-html package. The Apostrophe CMS team has released version 3.63.1 which includes the patched version of sanitize-html to address this security issue (Apostrophe Discussion).