cbcvebase.
CVE-2021-3377
published 2021-03-05

CVE-2021-3377: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL…

PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.00%
94.0th percentile
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
ansi_up_projectansi_up< 5.0.05.0.0
ansi_up_projectansi_up>= 0 < 5.0.05.0.0
debiannode-ansi-up< node-ansi-up 5.0.0+dfsg-1 (bookworm)node-ansi-up 5.0.0+dfsg-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlGET /\u001B]8;;https://interact.sh"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007
  • Look for ANSI OSC hyperlink escape sequences (ESC]8;; ... BEL) in HTTP request paths or user-supplied input being rendered as HTML — these are the attack vector for injecting malicious href attributes.
  • Responses must be Content-Type: text/html for the XSS payload to be executable; filter detections to HTML responses only.
  • The vulnerability is specific to ansi_up v4.x (versions < 5.0.0); inventory Node.js applications using this package version range as a prioritization signal.
  • ·The Nuclei template requires `unsafe: true` mode to send raw HTTP requests containing literal ANSI escape sequences (\u001B, \u0007); standard HTTP clients will reject or encode these bytes, so detection tooling must support raw/unsafe request sending.
  • ·The attack surface is limited to applications that pass untrusted user input through ansi_up v4 and render the output in an HTML context; server-side or non-HTML rendering contexts are not affected.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.