GHSA-mm7x-qfjj-5g2c: 
Rust vulnerability analysis and mitigation

The Ammonia Rust crate (versions >= 4.1.0, < 4.1.2; >= 4.0.0, < 4.0.1; < 3.3.1) contains a vulnerability related to incorrect handling of embedded SVG and MathML elements, which can lead to mutation XSS after removal. The vulnerability was reported on September 21, 2025, and officially issued on September 22, 2025. This security issue affects applications that specifically allow SVG or MathML tags along with certain raw text HTML elements (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the crate's failure to properly strip namespace-incompatible tags in specific situations, leading to incorrect handling of differences between HTML, SVG, and MathML namespaces. The issue manifests when a tag is parsed as HTML during the cleaning process but is serialized in a way that causes it to be parsed as XML by the browser. The vulnerability has been assigned a CVSS v4.0 score of 1.7 (Low severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).

The vulnerability only affects applications that explicitly allow SVG or MathML tags along with specific raw text HTML elements including title, textarea, xmp, iframe, noembed, noframes, plaintext, noscript, style, and script. Applications that do not explicitly allow these tags are not affected, as none of these tags are allowed by default (RustSec Advisory).

The vulnerability has been patched in versions 4.1.2, 4.0.1, and 3.3.1. Users are advised to upgrade to these patched versions. For applications that cannot immediately update, a workaround is to ensure that SVG/MathML tags and raw text HTML elements are not simultaneously allowed in the sanitizer configuration (GitHub Advisory).