Impact

A mutation XSS affects users calling bleach.clean with all of:

• the svg or math in the allowed/whitelisted tags
• an RCDATA tag (see below) in the allowed/whitelisted tags
• the keyword argument strip=False

Patches

Users are encouraged to upgrade to bleach v3.1.2 or greater.

Workarounds

• modify bleach.clean calls to use strip=True, or not whitelist math or svg tags and one or more of the following tags:

script
noscript
style
noframes
xmp
noembed
iframe

• A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
• https://cure53.de/fp170.pdf
• https://nvd.nist.gov/vuln/detail/CVE-2020-6816
• https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach

Credits

• Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx

For more information

If you have any questions or comments about this advisory:

• Open an issue at https://github.com/mozilla/bleach/issues
• Email us at security@mozilla.org

References

• GHSA-m6xf-fq7q-8743
• https://github.com/mozilla/bleach/releases/tag/v3.1.2
• https://nvd.nist.gov/vuln/detail/CVE-2020-6816
• https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5/
• https://advisory.checkmarx.net/advisory/CX-2020-4277