Description

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

Remediation

References

https://github.com/nahsra/antisamy/releases/tag/v1.6.6

https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit

https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/

Related Vulnerabilities

CVE-2021-28918 Vulnerability in npm package netmask

CVE-2023-26139 Vulnerability in npm package underscore-keypath

CVE-2021-27290 Vulnerability in npm package ssri

CVE-2018-6561 Vulnerability in maven package org.webjars.npm:dijit

CVE-2020-11619 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Release Notes Third Party Advisory NVD-CWE-noinfo