Description
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Remediation
References
https://github.com/nahsra/antisamy/releases/tag/v1.6.6
https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/
https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit
Related Vulnerabilities
CVE-2019-10773 Vulnerability in npm package @pnpm/package-bins
CVE-2020-36380 Vulnerability in npm package aaptjs
CVE-2019-1003057 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-approve
CVE-2023-26104 Vulnerability in npm package lite-web-server
CVE-2019-0231 Vulnerability in maven package org.apache.mina:mina-core