CVE-2021-3377: ansi_up cross-site scripting vulnerability

March 11, 2021 (updated November 4, 2025)

The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.

References

doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
github.com/advisories/GHSA-2v5f-23xc-v9qr
github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
nvd.nist.gov/vuln/detail/CVE-2021-3377
security.netapp.com/advisory/ntap-20241108-0002

Code Behaviors & Features

Detect and mitigate CVE-2021-3377 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →