Skip to content

Commit 2bcd67a

Browse files
pranavjain97pranavjain97
authored
Merge pull request #8779 from BitGo/fix/audit-exclusions-sanitize-html
chore: update audit exclusions for sanitize-html XSS
2 parents 8290517 + 7098d30 commit 2bcd67a

1 file changed

Lines changed: 7 additions & 19 deletions

File tree

.iyarc

Lines changed: 7 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -68,22 +68,10 @@ GHSA-9ppj-qmqm-q256
6868
GHSA-2w8x-224x-785m
6969

7070
# Excluded because:
71-
# - Arbitrary code execution in protobufjs via malicious protobuf definition files (severity: critical)
72-
# - Affects protobufjs < 7.5.5; installed versions: 6.11.4 (@cosmjs/stargate), 7.2.5 (@hashgraph/sdk,
73-
# sdk-coin-islm, sdk-coin-trx, sdk-coin-hbar), 7.5.4 (abstract-cosmos, sdk-coin-icp)
74-
# - Exploitation requires attacker-controlled .proto definition files; all protobuf definitions in this
75-
# repo are static files bundled within trusted upstream dependencies — not user-supplied
76-
# - Versions 6.11.4 and 7.2.5 are pinned by upstream deps (@cosmjs ~6.11.x, @hashgraph/sdk 7.2.5)
77-
# that do not yet support 7.5.5
78-
GHSA-xq3m-2v4x-88gg
79-
80-
# Excluded because:
81-
# - DoS via memory exhaustion in basic-ftp <= 5.2.2 (severity: high, CVSS 7.5)
82-
# - Client.list() buffers entire directory listings without size limits; a malicious FTP server
83-
# can send unbounded data to exhaust client memory
84-
# - Transitive dependency through pac-proxy-agent > get-uri > basic-ftp; used for PAC-based
85-
# proxy resolution, not direct FTP operations
86-
# - Exploitation requires connecting to a malicious FTP server; all proxy targets in this
87-
# project are controlled internal endpoints, not user-supplied FTP URLs
88-
# - Pinned at 5.2.2 in root resolutions; upstream get-uri has not yet updated to require 5.3.0
89-
GHSA-rp42-5vxx-qpwr
71+
# - XSS via xmp raw-text passthrough in sanitize-html (severity: critical, CVE-2026-44990)
72+
# - patched_versions: "<0.0.0" — no upstream fix exists yet
73+
# - Used in @bitgo/sdk-api to strip all HTML from API error response text (allowedTags: [])
74+
# - Output is appended to a JavaScript error string server-side, never rendered as HTML in a browser
75+
# - The xmp bypass produces live HTML markup in output, but since we discard all tags and use
76+
# the result as plain text in Error messages, there is no DOM rendering path and no XSS risk
77+
GHSA-rpr9-rxv7-x643

0 commit comments

Comments
 (0)