DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VRX2-77F2-WW34: GHSA-vrx2-77f2-ww34: Multiple Sanitization Bypasses and DOM Manipulation Flaws in justhtml

#security #cve #cybersecurity #ghsa

GHSA-vrx2-77f2-ww34: Multiple Sanitization Bypasses and DOM Manipulation Flaws in justhtml

Vulnerability ID: GHSA-VRX2-77F2-WW34
CVSS Score: 6.0
Published: 2026-04-22

The justhtml library (versions <= 1.16.0) is vulnerable to multiple security flaws, including cross-site scripting (XSS), mutation XSS (mXSS), CSS injection, and denial-of-service (DoS). These vulnerabilities arise from improper handling of foreign namespaces, incomplete DOM serialization constraints, and a lack of cycle detection in programmatic DOM node manipulation.

TL;DR

justhtml versions up to 1.16.0 contain multiple sanitization bypasses, mXSS vectors via foreign namespaces, and DOM cycle DoS vulnerabilities. Developers must upgrade to 1.17.0 to secure sanitization pipelines and programmatic DOM interfaces.

Technical Details

  • CWE ID: CWE-79, CWE-674
  • Attack Vector: Network
  • CVSS Score: 6.0 (Medium)
  • Impact: Integrity (High), Availability (High - DoS via Resource Exhaustion)
  • Exploit Status: No known weaponized exploits in the wild
  • Affected Component: Sanitization engine, DOM serialization, Node hierarchy

Affected Systems

  • justhtml Python package
  • Custom HTML sanitization pipelines utilizing justhtml
  • Applications programmatically generating HTML DOM structures via justhtml
  • justhtml: <= 1.16.0 (Fixed in: 1.17.0)

Code Analysis

Commit: 7efd824

Fix SVG/MathML integration point sanitization bypass

Commit: 3a73685

Secondary fixes for SVG/MathML integration points

Commit: e0513d5

Harden block sanitization and CSS injection prevention</p>
<h3>
<a name="commit-56d4384" href="#commit-56d4384" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/56d438433f7e6619a8b874a121177e5866552025"&gt;56d4384&lt;/a>
</h3>

<p>Fix Comment node serialization to prevent context breakouts</p>
<h3>
<a name="commit-1f3cb42" href="#commit-1f3cb42" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/1f3cb42b25fa2eb5a801352d7b2f80be0bae5c42"&gt;1f3cb42&lt;/a>
</h3>

<p>Address mXSS vulnerabilities in foreign namespaces</p>
<h3>
<a name="commit-7b73f07" href="#commit-7b73f07" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/7b73f07b76b9791ae0c3cca670ed394141199bb3"&gt;7b73f07&lt;/a>
</h3>

<p>Further mXSS mitigations for foreign namespaces</p>
<h3>
<a name="commit-559ae89" href="#commit-559ae89" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/559ae89ff344df7b7b8805812f947421f54dbc9b"&gt;559ae89&lt;/a>
</h3>

<p>Implement DOM cycle prevention to mitigate infinite loop DoS</p>
<h3>
<a name="commit-c5cf2b3" href="#commit-c5cf2b3" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/c5cf2b3152b17b8a5cdf6c5565be2efb0ba7b13b"&gt;c5cf2b3&lt;/a>
</h3>

<p>Cache immutability enhancements</p>
<h3>
<a name="commit-a126846" href="#commit-a126846" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/a1268460bf3161855131463b74ec0e709ddb8ba9"&gt;a126846&lt;/a>
</h3>

<p>Fix rawtext serialization for programmatic <script> and <style> nodes</p>
<h3>
<a name="commit-1855179" href="#commit-1855179" class="anchor">
</a>
Commit: <a href="https://github.com/EmilStenstrom/justhtml/commit/185517920ed73e06b733f408405d07c1fc4c8465"&gt;1855179&lt;/a>
</h3>

<p>Enhance security of SVG filter attributes</p>
<h2>
<a name="mitigation-strategies" href="#mitigation-strategies" class="anchor">
</a>
Mitigation Strategies
</h2>

<ul>
<li>Upgrade justhtml package to version 1.17.0 or higher.</li>
<li>Disable custom sanitization policies that permit SVG or MathML namespaces.</li>
<li>Implement input validation to reject context-breaking sequences (</script>, , -->) in programmatic DOM generation.

  • Restrict preservation of tags to trusted input sources only.</li> </ul>

    <p><strong>Remediation Steps:</strong></p>

    <ol>
    <li>Identify all projects and dependencies utilizing the justhtml library.</li>
    <li>Update the requirements.txt, Pipfile, or pyproject.toml to enforce justhtml &gt;= 1.17.0.</li>
    <li>Execute the deployment pipeline to roll out the updated package to production environments.</li>
    <li>Audit custom sanitization policies to ensure active integration points are not inadvertently preserved in legacy configurations.</li>
    <li>Review programmatic DOM construction logic for potential uncontrolled tree manipulation.</li>
    </ol>
    <h2>
    <a name="references" href="#references" class="anchor">
    </a>
    References
    </h2>

    <ul>
    <li><a href="https://github.com/advisories/GHSA-vrx2-77f2-ww34"&gt;GitHub Advisory: GHSA-vrx2-77f2-ww34</a></li>
    <li><a href="https://osv.dev/vulnerability/GHSA-vrx2-77f2-ww34"&gt;OSV Record: GHSA-vrx2-77f2-ww34</a></li>
    <li><a href="https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md"&gt;justhtml Changelog</a></li>
    </ul>

    <hr>

    <p><em><a href="https://cvereports.com/reports/GHSA-VRX2-77F2-WW34"&gt;Read the full report for GHSA-VRX2-77F2-WW34 on our website</a> for more details including interactive diagrams and full exploit analysis.</em></p>

    • Top comments (0)