The popular browser project Chromium had a serious HTML parser bug that could allow XSS attacks. The researcher reporting the flaw called it a “crazy” vulnerability. Thankfully, the developers have addressed the glitch.
Chromium HTML Parser Bug
Security researcher Michał Bentkowski from Securitum has disclosed an HTML parser bug affecting Chromium software. While the researcher hasn’t created a detailed write-up about the flaw, he did call it the “most crazy” bug he ever detected.
I promise I’ll release a writeup of this bug soon with more background how I stumbled upon it but for now here we go (I think it’s the most crazy parser bug I’ve ever found) https://t.co/r28GOszxzp
— Michał Bentkowski 🦻 (@SecurityMB) March 23, 2022
Though the researcher’s post is currently unavailable, the Chromium bug tracker thread shares insights about the problems. As revealed, the vulnerability existed because of the presence of two tree builders, html_tree_builder.cc
and html_tree_builder_simulator.cc
. Describing the two tree builders, the researcher stated,
html_tree_builder_simulator
appears to be used in cases when HTML parsing can be done asynchronously, and its main purpose is to handle tokenizer state switches, while the actual DOM tree is still being built by html_tree_builder.
I noticed thathtml_tree_builder_simulator
is used when parsing `srcdoc` attribute of iframes; but it is NOT used byDOMParser().parseFromString
. Many HTML sanitizers use the latter, including DOMPurify or Closure.
So, a “discrepancy” between the two builders could trigger cross-site scripting (XSS).
The HTML is initially parsed with html_tree_builder but then the result is parsed with
html_tree_builder_simulator
. This means that any discrepancy between these two tree builders might lead to mutation XSS.
The bug has received the ID number CVE-2022-0801 and a medium-severity rating. More technical details about the flaw are available in the bug thread.
Google Patched The Flaw
Following the researcher’s bug report last year, Chromium developers started working on a fix. Consequently, they released the patch earlier this month with Google Chrome 99.0.4844.51 desktop release.
Google’s advisory confirms fixing this bug, alongside acknowledging the researcher’s effort with a $5000 bounty.
Nonetheless, this Chrome version isn’t the latest release since Google has just fixed a zero-day with 99.0.4844.84. Therefore, Chrome users should ensure to update their Windows, Mac, and Linux systems to this release (at least) to stay safe against exploits.