CVE-2021-3377
published 2021-03-05CVE-2021-3377: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL…
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.00%
94.0th percentile
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansi_up_project | ansi_up | < 5.0.0 | 5.0.0 |
| ansi_up_project | ansi_up | >= 0 < 5.0.0 | 5.0.0 |
| debian | node-ansi-up | < node-ansi-up 5.0.0+dfsg-1 (bookworm) | node-ansi-up 5.0.0+dfsg-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /\u001B]8;;https://interact.sh"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007
- →Look for ANSI OSC hyperlink escape sequences (ESC]8;; ... BEL) in HTTP request paths or user-supplied input being rendered as HTML — these are the attack vector for injecting malicious href attributes.
- →Responses must be Content-Type: text/html for the XSS payload to be executable; filter detections to HTML responses only.
- →The vulnerability is specific to ansi_up v4.x (versions < 5.0.0); inventory Node.js applications using this package version range as a prioritization signal. ↗
- ·The Nuclei template requires `unsafe: true` mode to send raw HTTP requests containing literal ANSI escape sequences (\u001B, \u0007); standard HTTP clients will reject or encode these bytes, so detection tooling must support raw/unsafe request sending.
- ·The attack surface is limited to applications that pass untrusted user input through ansi_up v4 and render the output in an HTML context; server-side or non-HTML rendering contexts are not affected. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs-ansi_up: XSS due to insufficient URL sanitization
vendor_redhat·2021-01-29·CVSS 6.1
CVE-2021-3377 [MEDIUM] CWE-79 nodejs-ansi_up: XSS due to insufficient URL sanitization
nodejs-ansi_up: XSS due to insufficient URL sanitization
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
A flaw was found in npm package ansi_up versions < 5.0.0 when parsing untrusted user input. An attacker could take advantage of this by introducing ANSI escape codes to inject arbitrary HTML and JavaScript in result mounting a cross-site scripting (XSS) attack.
Package: kui-web-terminal (Red Hat Advanced Cluster Management for Kubernetes 2) - Affected
Debian
CVE-2021-3377: node-ansi-up - The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANS...
vendor_debian·2021·CVSS 6.1
CVE-2021-3377 [MEDIUM] CVE-2021-3377: node-ansi-up - The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANS...
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
Scope: local
bookworm: resolved (fixed in 5.0.0+dfsg-1)
bullseye: resolved (fixed in 5.0.0+dfsg-1)
forky: resolved (fixed in 5.0.0+dfsg-1)
sid: resolved (fixed in 5.0.0+dfsg-1)
trixie: resolved (fixed in 5.0.0+dfsg-1)
GHSA
ansi_up cross-site scripting vulnerability
ghsa·2021-03-11
CVE-2021-3377 [MEDIUM] CWE-79 ansi_up cross-site scripting vulnerability
ansi_up cross-site scripting vulnerability
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
OSV
ansi_up cross-site scripting vulnerability
osv·2021-03-11
CVE-2021-3377 [MEDIUM] ansi_up cross-site scripting vulnerability
ansi_up cross-site scripting vulnerability
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
OSV
CVE-2021-3377: The npm package ansi_up converts ANSI escape codes into HTML
osv·2021-03-05·CVSS 6.1
CVE-2021-3377 [MEDIUM] CVE-2021-3377: The npm package ansi_up converts ANSI escape codes into HTML
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
No detection rules found.
Nuclei
npm ansi_up v4 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-3377 [MEDIUM] npm ansi_up v4 - Cross-Site Scripting
npm ansi_up v4 - Cross-Site Scripting
npm package ansi_up v4 is vulnerable to cross-site scripting because ANSI escape codes can be used to create HTML hyperlinks.
Template:
id: CVE-2021-3377
info:
name: npm ansi_up v4 - Cross-Site Scripting
author: geeknik
severity: medium
description: npm package ansi_up v4 is vulnerable to cross-site scripting because ANSI escape codes can be used to create HTML hyperlinks.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a user's browser, leading to potential data theft or unauthorized actions.
remediation: Upgrade to v5.0.0 or later.
reference:
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae
No writeups or analysis indexed.
https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdfhttps://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdfhttps://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27https://security.netapp.com/advisory/ntap-20241108-0002/
2021-03-05
Published