terser
Vulnerability : CVE-2022-37620
What happened?
Hi,
IMO this fork of https://github.com/kangax/html-minifier is still vulnerable to CVE-2022-37620 as the regex in the candidate variable is still the same.
References :
https://nvd.nist.gov/vuln/detail/CVE-2022-37620
https://github.com/kangax/html-minifier/issues/1135
Version
All
What browsers are you seeing the problem on?
No response
Link to reproduce
No response
Relevant log output
No response
Willing to submit a PR?
None
It seems the CVE record differs from https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181, which contains more details.
Not sure why this is the case. I will clarify with Snyk.
The described PoC does not work with html-minifier-terser:
import { minify } from 'html-minifier-terser';
result = minify(attrName = '\t'.repeat(547703) + '.\t1x', tag = '\t'.repeat(547703) + '.\t1x' )
But with valid code, the PoC works:
import { minify } from 'html-minifier-terser';
const result = minify('\t'.repeat(547703) + '.\t1x')
It seems no one really confirmed the actual issue here. See my addition regarding the candidate variable: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453388023
Detailed analysis and recommended mitigations: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453405484
Hi @DanielRuf
im using this in Remix
import { minify } from 'html-minifier-terser';
got this error
Cannot find module 'html-minifier-terser'
how do you manage to succfuly using import?
Cannot find module 'html-minifier-terser'
This means the step with npm i html-minifier-terser was forgotten.
