Listen to this Post
How the mentioned vulnerability works (CVE-less but real):
The Novu platform uses an HTML sanitizer to filter user-supplied email content. The sanitizer is configured with `allowedAttributes: false` in sanitizer.service.ts, which passes all attributes through the `sanitize-html` library. After that, a `DANGEROUS_ATTRIBUTES` array attempts to block known event handlers. However, this blocklist is incomplete. The `oncontentvisibilityautostatechange=` attribute is missing from the denial list. An attacker can inject an anchor tag with this attribute and a JavaScript payload (e.g., alert(window.origin)). When the email preview renders, the attribute executes the script because the sanitizer does not strip or escape it. The attribute is valid HTML and triggers on content visibility changes. The PoC uses <a oncontentvisibilityautostatechange="alert(window.origin)" style="display:block;content-visibility:auto">. Within seconds, the XSS popup appears. Another lax sanitizer exists in `sanitize.utils.ts` but its usage is unclear. The impact goes beyond self-XSS: shared dashboard links or OAuth flows can force victims into an attacker-controlled session, triggering the payload.
dailycve form:
Platform: Novu
Version: next
Vulnerability: XSS sanitization
Severity: Critical
date: 2025-04-14
Prediction: 2025-04-28
What Undercode Say:
Analytics:
Count missing dangerous attributes in Novu sanitizer
grep -o 'on[a-z]=' libs/application-generic/src/services/sanitize/sanitizer.service.ts | sort -u
Check if oncontentvisibilityautostatechange is blocked
echo "oncontentvisibilityautostatechange" | grep -Ff <(echo "DANGEROUS_ATTRIBUTES array content")
Simulate payload injection
curl -X POST https://dashboard.novu.co/api/workflows -H "Content-Type: application/json" -d '{"html":"<a oncontentvisibilityautostatechange=alert(1)>click"}'
How Exploit:
- Create a new workflow with an email step.
- Insert `` into the email body.
- Wait for preview to render – XSS triggers automatically.
- For remote exploit: Share the editor URL or abuse OAuth callback omission to log victim into attacker’s account, then trigger the payload.
Protection from this CVE:
- Update `DANGEROUS_ATTRIBUTES` to include
oncontentvisibilityautostatechange. - Use a strict allowlist for attributes instead of blocklist.
- Apply CSP (script-src ‘self’) to prevent inline script execution.
- Upgrade to patched version once released (expected within two weeks).
- Disable content-visibility:auto in email preview if possible.
Impact:
Cross-site scripting (XSS) leads to session hijacking, data theft, and account takeover. Shared dashboard links expose all collaborators. OAuth flow abuse forces victims into attacker-controlled sessions, enabling persistent compromise of email templates and workflows.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

