CVE-2020-26303: insane vulnerable to Regular Expression Denial of Service

October 26, 2024 (updated November 13, 2024)

insane is an allowlist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

References

github.com/advisories/GHSA-w455-mfq9-hf74
github.com/bevacqua/insane
github.com/bevacqua/insane/issues/19
nvd.nist.gov/vuln/detail/CVE-2020-26303
securitylab.github.com/advisories/GHSL-2020-289-redos-insane

Detect and mitigate CVE-2020-26303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →