Headline
CVE-2023-24038: Handler for `style` attribute is vulnerable to reDoS · Issue #3 · clintongormley/perl-html-stripscripts
The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes.
Version: 1.06
Confirmed with Perl 5.16.3 & 5.32.1
This is a test script test.pl:
use HTML::StripScripts::Parser; my $hss = HTML::StripScripts::Parser->new; $hss->parse_file(shift); print $hss->filtered_document;
With attached test data, it crashes as below:
$ perl test.pl test-1.html.txt Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1602.
$ perl test.pl test-2.html.txt Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1606.
test-1.html.txt
test-2.html.txt
Related news
Ubuntu Security Notice 6100-1 - It was discovered that HTML::StripScripts does not properly parse HTML content with certain style attributes. A remote attacker could use this issue to cause a regular expression denial of service.
Debian Linux Security Advisory 5339-1 - Ikeda Soji reported that libhtml-stripscripts-perl, a Perl module for removing scripts from HTML, is prone to a regular expression denial of service, due to catastrophic backtracking for HTML content with specially crafted style attributes.