Chromium Devs Fixed A “Crazy” HTML Parser Bug

The popular browser project Chromium had a serious HTML parser bug that could allow XSS attacks. The researcher reporting the flaw called it a “crazy” vulnerability. Thankfully, the developers have addressed the glitch.

Chromium HTML Parser Bug

Security researcher Michał Bentkowski from Securitum has disclosed an HTML parser bug affecting Chromium software. While the researcher hasn’t created a detailed write-up about the flaw, he did call it the “most crazy” bug he ever detected.

Though the researcher’s post is currently unavailable, the Chromium bug tracker thread shares insights about the problems. As revealed, the vulnerability existed because of the presence of two tree builders, html_tree_builder.cc and html_tree_builder_simulator.cc. Describing the two tree builders, the researcher stated,

html_tree_builder_simulator appears to be used in cases when HTML parsing can be done asynchronously, and its main purpose is to handle tokenizer state switches, while the actual DOM tree is still being built by html_tree_builder.
I noticed that html_tree_builder_simulator is used when parsing `srcdoc` attribute of iframes; but it is NOT used by DOMParser().parseFromString. Many HTML sanitizers use the latter, including DOMPurify or Closure.

So, a “discrepancy” between the two builders could trigger cross-site scripting (XSS).

The HTML is initially parsed with html_tree_builder but then the result is parsed with html_tree_builder_simulator. This means that any discrepancy between these two tree builders might lead to mutation XSS.

The bug has received the ID number  CVE-2022-0801 and a medium-severity rating. More technical details about the flaw are available in the bug thread.

Google Patched The Flaw

Following the researcher’s bug report last year, Chromium developers started working on a fix. Consequently, they released the patch earlier this month with Google Chrome 99.0.4844.51 desktop release.

Google’s advisory confirms fixing this bug, alongside acknowledging the researcher’s effort with a $5000 bounty.

Nonetheless, this Chrome version isn’t the latest release since Google has just fixed a zero-day with 99.0.4844.84. Therefore, Chrome users should ensure to update their Windows, Mac, and Linux systems to this release (at least) to stay safe against exploits.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients