starred/yaak-mountain-loop
1
0
Fork 0
mirror of https://github.com/mountain-loop/yaak.git synced 2026-01-11 14:30:24 +01:00
Code Issues 8 Packages Projects Releases 10 Wiki Activity

[PR #304] [CLOSED] [Security] Fix MEDIUM vulnerability: CVE-2024-53382 #226

New Issue
Closed
opened 2025-12-29 08:32:10 +01:00 by adam · 0 comments
adam commented 2025-12-29 08:32:10 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/304
Author: @orbisai0security
Created: 11/21/2025
Status: Closed

Base: mainHead: fix-cve-2024-53382-package-lock.json

📝 Commits (1)

  • 6477dfc fix: resolve medium vulnerability CVE-2024-53382

📊 Changes

2 files changed (+5 additions, -4 deletions)

View changed files

📝 package-lock.json (+3 -3)
📝 package.json (+2 -1)

📄 Description

Security Fix

This PR addresses a MEDIUM severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect Rating Rationale
Impact Medium In Yaak, an API client that uses PrismJS for syntax highlighting of code snippets like JSON responses, exploitation could lead to DOM clobbering if user-controlled content is rendered as HTML, potentially enabling XSS in the Electron renderer process and limited code execution within the app's sandboxed environment.
Likelihood Low Yaak is a desktop API testing tool not exposed to remote attacks, requiring an attacker to trick a user into loading malicious API responses or content that exploits the prism-autoloader plugin, which is unlikely given its developer-focused usage and lack of direct internet exposure.
Ease of Fix Easy Remediation involves updating the PrismJS dependency to a patched version via npm, as indicated by the provided commit and pull request links, with minimal risk of breaking changes since it's a library update without altering Yaak's core code.

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The DOM Clobbering vulnerability in PrismJS's prism-autoloader plugin allows an attacker to overwrite the global Prism object with a DOM element by injecting HTML containing an element with id="Prism". In the context of Yaak, an API client that uses PrismJS for syntax highlighting in its web-based frontend (built with Tauri), an attacker could exploit this by tricking a user into making an API request to a malicious server that returns HTML content designed to clobber the Prism object. If Yaak's response viewer has an HTML preview or rendering mode (common in API clients like Yaak for displaying response bodies), loading this HTML could interfere with PrismJS's autoloader functionality, potentially causing syntax highlighting failures or unexpected behavior in the app's UI.

The DOM Clobbering vulnerability in PrismJS's prism-autoloader plugin allows an attacker to overwrite the global Prism object with a DOM element by injecting HTML containing an element with id="Prism". In the context of Yaak, an API client that uses PrismJS for syntax highlighting in its web-based frontend (built with Tauri), an attacker could exploit this by tricking a user into making an API request to a malicious server that returns HTML content designed to clobber the Prism object. If Yaak's response viewer has an HTML preview or rendering mode (common in API clients like Yaak for displaying response bodies), loading this HTML could interfere with PrismJS's autoloader functionality, potentially causing syntax highlighting failures or unexpected behavior in the app's UI. This requires the user to actively preview the malicious HTML response, making exploitation conditional on user interaction and Yaak's feature set.

<!-- PoC HTML that an attacker could serve as an API response body (e.g., via a malicious server endpoint).
   In Yaak, if the user sends a GET request to http://malicious-server.com/exploit and previews the HTML response,
   this would clobber the Prism global in the app's webview, assuming PrismJS autoloader is loaded for highlighting. -->
<!DOCTYPE html>
<html lang="en">
<head>
    <title>Malicious Response</title>
    <!-- Include PrismJS resources as used in Yaak's frontend (based on package-lock.json dependency) -->
    <link href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/themes/prism.min.css" rel="stylesheet" />
</head>
<body>
    <!-- This div clobbers the global Prism object, making window.Prism refer to this DOM element instead of the PrismJS library object -->
    <div id="Prism">Clobbered Prism Object - Syntax Highlighting May Fail</div>
    
    <!-- Example code block that Prism autoloader would attempt to highlight, but clobbering disrupts normal operation -->
    <pre><code class="language-javascript">console.log('This code highlighting may not work due to clobbering');</code></pre>
    
    <!-- Scripts loaded as in Yaak's frontend -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-core.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/plugins/autoloader/prism-autoloader.min.js"></script>
</body>
</html>

# Steps to reproduce in a test environment (do not run on production systems):
# 1. Set up a local malicious server to serve the above HTML (e.g., using Python's http.server)
echo 'Serve the PoC HTML above from a local server on port 8000' > /dev/null
python3 -m http.server 8000

# 2. In Yaak, create a new request to http://localhost:8000 (or a remote malicious URL)
# 3. Send the request and switch to HTML preview mode in the response viewer (if available in Yaak)
# 4. Observe that Prism is clobbered: Open browser dev tools in Yaak's webview and check that window.Prism is now a DOM element (<div id="Prism">) instead of the PrismJS object
# 5. Attempt to highlight code; the autoloader may fail to load languages dynamically, leading to unhighlighted or broken code display

Exploitation Impact Assessment

Impact Category Severity Description
Data Exposure None No sensitive data (e.g., API keys, user credentials, or response data stored in Yaak) can be accessed or leaked through this client-side DOM Clobbering; it only affects the PrismJS object in the app's webview and does not interact with Yaak's data handling or storage.
System Compromise None This is a client-side vulnerability in the web frontend; it cannot grant system access, execute arbitrary code on the host, or escape the Tauri sandbox. The clobbering is limited to disrupting PrismJS functionality within the app's UI.
Operational Impact Low Successful exploitation could cause syntax highlighting failures in Yaak's response viewer, leading to degraded user experience (e.g., unreadable code snippets in API responses). It does not cause service disruptions, crashes, or resource exhaustion beyond minor UI issues.
Compliance Risk Low May violate general web security best practices (e.g., OWASP Top 10 A03:2021 Injection risks in client-side libraries), but poses no direct risk to regulations like GDPR or SOC2, as it does not handle or expose user data. Remediation aligns with secure dependency management standards.

Vulnerability Details

  • Rule ID: CVE-2024-53382
  • File: package-lock.json
  • Description: prismjs: DOM Clobbering vulnerability within the Prism library's prism-autoloader plugin

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

  • package-lock.json
  • package.json

Verification

This fix has been automatically verified through:

  • Build verification
  • Scanner re-scan
  • LLM code review

🤖 This PR was automatically generated.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/304 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 11/21/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-cve-2024-53382-package-lock.json` --- ### 📝 Commits (1) - [`6477dfc`](https://github.com/mountain-loop/yaak/commit/6477dfc6bedfe56cc131dc92c98dd59e7fcd30b8) fix: resolve medium vulnerability CVE-2024-53382 ### 📊 Changes **2 files changed** (+5 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+3 -3) 📝 `package.json` (+2 -1) </details> ### 📄 Description ## Security Fix This PR addresses a **MEDIUM** severity vulnerability detected by our security scanner. ### Security Impact Assessment | Aspect | Rating | Rationale | |--------|--------|-----------| | Impact | Medium | In Yaak, an API client that uses PrismJS for syntax highlighting of code snippets like JSON responses, exploitation could lead to DOM clobbering if user-controlled content is rendered as HTML, potentially enabling XSS in the Electron renderer process and limited code execution within the app's sandboxed environment. | | Likelihood | Low | Yaak is a desktop API testing tool not exposed to remote attacks, requiring an attacker to trick a user into loading malicious API responses or content that exploits the prism-autoloader plugin, which is unlikely given its developer-focused usage and lack of direct internet exposure. | | Ease of Fix | Easy | Remediation involves updating the PrismJS dependency to a patched version via npm, as indicated by the provided commit and pull request links, with minimal risk of breaking changes since it's a library update without altering Yaak's core code. | ### Evidence: Proof-of-Concept Exploitation Demo **⚠️ For Educational/Security Awareness Only** This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation. #### How This Vulnerability Can Be Exploited The DOM Clobbering vulnerability in PrismJS's prism-autoloader plugin allows an attacker to overwrite the global `Prism` object with a DOM element by injecting HTML containing an element with `id="Prism"`. In the context of Yaak, an API client that uses PrismJS for syntax highlighting in its web-based frontend (built with Tauri), an attacker could exploit this by tricking a user into making an API request to a malicious server that returns HTML content designed to clobber the `Prism` object. If Yaak's response viewer has an HTML preview or rendering mode (common in API clients like Yaak for displaying response bodies), loading this HTML could interfere with PrismJS's autoloader functionality, potentially causing syntax highlighting failures or unexpected behavior in the app's UI. The DOM Clobbering vulnerability in PrismJS's prism-autoloader plugin allows an attacker to overwrite the global `Prism` object with a DOM element by injecting HTML containing an element with `id="Prism"`. In the context of Yaak, an API client that uses PrismJS for syntax highlighting in its web-based frontend (built with Tauri), an attacker could exploit this by tricking a user into making an API request to a malicious server that returns HTML content designed to clobber the `Prism` object. If Yaak's response viewer has an HTML preview or rendering mode (common in API clients like Yaak for displaying response bodies), loading this HTML could interfere with PrismJS's autoloader functionality, potentially causing syntax highlighting failures or unexpected behavior in the app's UI. This requires the user to actively preview the malicious HTML response, making exploitation conditional on user interaction and Yaak's feature set. ```html <!-- PoC HTML that an attacker could serve as an API response body (e.g., via a malicious server endpoint). In Yaak, if the user sends a GET request to http://malicious-server.com/exploit and previews the HTML response, this would clobber the Prism global in the app's webview, assuming PrismJS autoloader is loaded for highlighting. --> <!DOCTYPE html> <html lang="en"> <head> <title>Malicious Response</title> <!-- Include PrismJS resources as used in Yaak's frontend (based on package-lock.json dependency) --> <link href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/themes/prism.min.css" rel="stylesheet" /> </head> <body> <!-- This div clobbers the global Prism object, making window.Prism refer to this DOM element instead of the PrismJS library object --> <div id="Prism">Clobbered Prism Object - Syntax Highlighting May Fail</div> <!-- Example code block that Prism autoloader would attempt to highlight, but clobbering disrupts normal operation --> <pre><code class="language-javascript">console.log('This code highlighting may not work due to clobbering');</code></pre> <!-- Scripts loaded as in Yaak's frontend --> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-core.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/plugins/autoloader/prism-autoloader.min.js"></script> </body> </html> ``` ```bash # Steps to reproduce in a test environment (do not run on production systems): # 1. Set up a local malicious server to serve the above HTML (e.g., using Python's http.server) echo 'Serve the PoC HTML above from a local server on port 8000' > /dev/null python3 -m http.server 8000 # 2. In Yaak, create a new request to http://localhost:8000 (or a remote malicious URL) # 3. Send the request and switch to HTML preview mode in the response viewer (if available in Yaak) # 4. Observe that Prism is clobbered: Open browser dev tools in Yaak's webview and check that window.Prism is now a DOM element (<div id="Prism">) instead of the PrismJS object # 5. Attempt to highlight code; the autoloader may fail to load languages dynamically, leading to unhighlighted or broken code display ``` #### Exploitation Impact Assessment | Impact Category | Severity | Description | |-----------------|----------|-------------| | Data Exposure | None | No sensitive data (e.g., API keys, user credentials, or response data stored in Yaak) can be accessed or leaked through this client-side DOM Clobbering; it only affects the PrismJS object in the app's webview and does not interact with Yaak's data handling or storage. | | System Compromise | None | This is a client-side vulnerability in the web frontend; it cannot grant system access, execute arbitrary code on the host, or escape the Tauri sandbox. The clobbering is limited to disrupting PrismJS functionality within the app's UI. | | Operational Impact | Low | Successful exploitation could cause syntax highlighting failures in Yaak's response viewer, leading to degraded user experience (e.g., unreadable code snippets in API responses). It does not cause service disruptions, crashes, or resource exhaustion beyond minor UI issues. | | Compliance Risk | Low | May violate general web security best practices (e.g., OWASP Top 10 A03:2021 Injection risks in client-side libraries), but poses no direct risk to regulations like GDPR or SOC2, as it does not handle or expose user data. Remediation aligns with secure dependency management standards. | ### Vulnerability Details - **Rule ID**: `CVE-2024-53382` - **File**: `package-lock.json` - **Description**: prismjs: DOM Clobbering vulnerability within the Prism library's prism-autoloader plugin ### Changes Made This automated fix addresses the vulnerability by applying security best practices. ### Files Modified - `package-lock.json` - `package.json` ### Verification This fix has been automatically verified through: - ✅ Build verification - ✅ Scanner re-scan - ✅ LLM code review 🤖 This PR was automatically generated. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-29 08:32:10 +01:00
adam closed this issue 2025-12-29 08:32:10 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/yaak-mountain-loop#226
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?