CVE-2024-23635 Overview
CVE-2024-23635 is a mutation XSS (mXSS) vulnerability in AntiSamy, a widely-used library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.5, flawed parsing of HTML being sanitized can lead to executable code being interpreted when the sanitized output is rendered in a browser.
Critical Impact
When the preserveComments directive is enabled in the AntiSamy policy file, crafted inputs can bypass sanitization, resulting in elements within comment tags being interpreted as executable JavaScript. This allows attackers to inject malicious scripts that execute in victims' browsers.
Affected Products
- AntiSamy versions prior to 1.7.5
- Applications using AntiSamy with preserveComments directive enabled
- Web applications relying on AntiSamy for HTML sanitization
Discovery Timeline
- 2024-02-02 - CVE-2024-23635 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23635
Vulnerability Analysis
This vulnerability represents a mutation XSS (mXSS) attack vector, a sophisticated class of Cross-Site Scripting (XSS) vulnerabilities. Unlike traditional XSS where malicious content is directly injected, mXSS exploits the differences between how HTML parsers interpret content during sanitization versus how browsers render the sanitized output.
The vulnerability specifically affects applications that have enabled the preserveComments directive in their AntiSamy policy configuration. When this setting is active, HTML comments are preserved through the sanitization process, creating an opportunity for attackers to craft payloads that appear benign during parsing but become executable when rendered by the browser.
Root Cause
The root cause lies in the flawed parsing logic within AntiSamy's HTML sanitization engine. The library fails to properly account for edge cases where HTML comment boundaries can be manipulated to hide executable content. When browsers re-interpret the sanitized output, they may parse the comment boundaries differently than AntiSamy did during sanitization, causing previously hidden script content to become executable.
This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), as the sanitizer fails to properly neutralize user-controllable input that could be interpreted as executable script.
Attack Vector
The attack requires network access and user interaction, as victims must visit a page containing the malicious sanitized content. Attackers can exploit this vulnerability by submitting specially crafted HTML content to any application feature that processes user input through AntiSamy with preserveComments enabled.
The mutation XSS technique works by exploiting parser differentials—the attacker crafts input that AntiSamy's parser interprets as safe comment content, but that browsers will interpret differently when rendering the output. This can allow script tags or event handlers hidden within or around comment boundaries to execute.
For detailed technical analysis and specific payload examples, refer to the GitHub Security Advisory.
Detection Methods for CVE-2024-23635
Indicators of Compromise
- Unusual HTML comment structures in user-submitted content containing script-like patterns
- Web application logs showing attempts to submit malformed or nested HTML comments
- Browser console errors related to script execution from sanitized content areas
- User reports of unexpected behavior or pop-ups on pages displaying user-generated content
Detection Strategies
- Review application dependencies to identify AntiSamy versions prior to 1.7.5
- Audit AntiSamy policy files for the preserveComments directive being set to true
- Implement Web Application Firewall (WAF) rules to detect mXSS payload patterns in HTML comments
- Deploy Content Security Policy (CSP) headers to detect and block inline script execution
Monitoring Recommendations
- Enable logging for all HTML sanitization operations to capture potentially malicious input
- Monitor for CSP violation reports indicating attempted script execution from sanitized content
- Set up alerts for unusual patterns in user-submitted HTML, particularly around comment syntax
- Implement runtime application security monitoring to detect XSS exploitation attempts
How to Mitigate CVE-2024-23635
Immediate Actions Required
- Upgrade AntiSamy to version 1.7.5 or later immediately
- Audit all AntiSamy policy files and disable preserveComments unless absolutely necessary
- Review applications for any instances where sanitized output is rendered without additional encoding
- Implement Content Security Policy headers to provide defense-in-depth against XSS
Patch Information
The vulnerability has been patched in AntiSamy version 1.7.5 and later. Organizations should update their AntiSamy dependency to the latest available version. The patch addresses the parser differential that allowed crafted HTML comments to bypass sanitization.
For complete patch details and release notes, see the GitHub Security Advisory.
Workarounds
- Disable the preserveComments directive in your AntiSamy policy file by setting it to false
- Apply additional output encoding to all AntiSamy-sanitized content before rendering
- Implement strict Content Security Policy headers that block inline script execution
- Consider using alternative HTML sanitization approaches for high-risk applications until patching is complete
# Configuration example - Disable preserveComments in AntiSamy policy
# In your antisamy policy XML file, ensure this directive is disabled:
# <directive name="preserveComments" value="false"/>
# Maven dependency update to patched version
# Update pom.xml to use AntiSamy 1.7.5 or later:
# <dependency>
# <groupId>org.owasp.antisamy</groupId>
# <artifactId>antisamy</artifactId>
# <version>1.7.5</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
