Vulnerability : CVE-2022-37620

[borrelm]

What happened?

Hi,

IMO this fork of https://github.com/kangax/html-minifier is still vulnerable to CVE-2022-37620 as the regex in the candidate variable is still the same.
References :
https://nvd.nist.gov/vuln/detail/CVE-2022-37620
kangax/html-minifier#1135

Version

All

What browsers are you seeing the problem on?

No response

Link to reproduce

No response

Relevant log output

No response

Willing to submit a PR?

None

[DanielRuf]

It seems the CVE record differs from https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181, which contains more details.

Not sure why this is the case. I will clarify with Snyk.

The described PoC does not work with html-minifier-terser:

import { minify } from 'html-minifier-terser';
result = minify(attrName = '\t'.repeat(547703) + '.\t1x', tag = '\t'.repeat(547703) + '.\t1x'  )

But with valid code, the PoC works:

import { minify } from 'html-minifier-terser';
const result = minify('\t'.repeat(547703) + '.\t1x')

[DanielRuf]

It seems no one really confirmed the actual issue here. See my addition regarding the candidate variable: kangax/html-minifier#1135 (comment)

Detailed analysis and recommended mitigations: kangax/html-minifier#1135 (comment)

[teknosains]

Hi @DanielRuf

im using this in Remix

import { minify } from 'html-minifier-terser';

got this error

Cannot find module 'html-minifier-terser'

how do you manage to succfuly using import?

[DanielRuf]

Cannot find module 'html-minifier-terser'

This means the step with npm i html-minifier-terser was forgotten.

[mw-sezzle]

Will this be addressed soon?