Heads-up: XSS risk in DOMSerializer

marijn · July 14, 2024, 5:09pm

This is a warning that a viable cross-site scripting vulnerability has been brought to my attention that some uses of ProseMirror are affected by.

Specifically, if you:

Have a node or mark serializer function (toDOM spec or a function passed to DOMSerializer) that puts a value from an attribute directly in an array used to describe a DOM structure (for example node => ["span", node.attrs.label])
and don’t fully sanitize these attributes when they are read from JSON (or another source)
then it may be possible for a malicious actor so inject an attribute like attrs: {label: ["script", {src: "//dodgy.com/script.js"}]} or a similar structure into your document via a tampered API request, and trick DOMSerializer into emitting arbitrary HTML tags, which, when rendered, might inject code into your webpages.

I recommend you upgrade to prosemirror-model 1.22.1 at your earliest convenience. Firstly, this version supports a new attribute configuration field validate, which it is recommended to define for all your attributes, that allows you validate that they are of the shape they should be.

In addition, that version contains ad-hoc code that checks for this precise situation, and will refuse to render DOM output spec arrays that originate in a node or mark’s attributes.

Be safe!

thaidn · July 16, 2024, 6:57pm

Hi! This is Thai from Calif. We found this vulnerability.

We’ve published a blog post with more details: Type confusion attacks in ProseMirror editors - by Khanh.

marinj: Thanks for a quick turnover over the weekend!

frederik · July 18, 2024, 7:21am

Good work @thaidn! (@marijn as always).

I feel it’s also fair to point out that we should all be consistently set the script-src, … Content Security Policy (for anyone coming here to learn about the vulnerability)

Abc · July 23, 2024, 5:41am

@marijn Thanks for the heads up and for the quick fix. @thaidn thanks for the guide on how this can be exploited.

Since this may impact other consumers of ProseMirror, should there be a CVE for ProseMirror? Consumers that use dependency vulnerability trackers will be notified of the Outline fix, but not necessarily of the new ProseMirror functionality and associated recommendations.

Specifically, I think this part is brilliant:

And wondering how to make sure all know to pull in the latest. Thank you!

bdbch · July 24, 2024, 4:52am

Thanks @marijn - great find!

We’ll upgrade our packages ASAP and release new versions of our packages.

thaidn · July 24, 2024, 2:09pm

Thanks @bdbch. We confirmed that this attack vector also affected TipTap.