Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko up to and including 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML up to and including 1.9.22 (also affecting OWASP AntiSamy prior to 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
cyberneko html project cyberneko html |
||
htmlunit htmlunit |
||
antisamy project antisamy |