Skip to content

Update security updates [SECURITY] (dev) - autoclosed#346

Closed
renovate[bot] wants to merge 1 commit into
devfrom
renovate/dev-security-updates
Closed

Update security updates [SECURITY] (dev) - autoclosed#346
renovate[bot] wants to merge 1 commit into
devfrom
renovate/dev-security-updates

Conversation

@renovate

@renovate renovate Bot commented Jul 9, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
ammonia dependencies patch 4.1.24.1.3
anyhow dependencies patch 1.0.1021.0.103

mXSS in ammonia via MathML annotation-xml encoding strip

GHSA-9jh8-v38h-cvhr / RUSTSEC-2026-0193

More information

Details

If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.

The annotation-xml tag has slightly different behavior than the other "integration point"
tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
strip the namespace-incompatible tags.

This vulnerability only has an effect when the math and annotation-xml tags
are both enabled, but the encoding attribute is disabled, because it relies
on the following sequence of steps:

  1. User writes code like <math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.
  2. Namespace filtering checks the DOM, and it passes. <gadget> is parsed as HTML.
  3. Attribute filter strips it down to <math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.
  4. The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.

Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML.
These elements are:

  • title
  • textarea
  • xmp
  • iframe
  • noembed
  • noframes
  • plaintext
  • noscript
  • style
  • script

Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.


Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Unsoundness in Error::downcast_mut()

RUSTSEC-2026-0190

More information

Details

Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via Error::context and then later calls Error::downcast_mut on the returned Error.

The flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.

Example
use anyhow::Error;
use std::fmt;

#[derive(Debug)]
struct ErrorContext(&'static str);

impl fmt::Display for ErrorContext {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

fn main() {
    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
    let context: &mut ErrorContext = error.downcast_mut().unwrap();
    context.0 = "new context";
    println!("{:?}", error);
}
Miri output
error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
   --> src/ptr.rs:170:18
    |
170 |         unsafe { &mut *self.ptr.as_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
   --> src/ptr.rs:89:18
    |
 89 |             ptr: NonNull::from(ptr),
    |                  ^^^^^^^^^^^^^^^^^^
    = note: stack backtrace:
            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
                at src/ptr.rs:170:18: 170:41
            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
                at src/error.rs:560:18: 560:46
            2: main
                at examples/downcast_mut.rs:15:38: 15:58

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Configuration

📅 Schedule: (in timezone Europe/Warsaw)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate security labels Jul 9, 2026
@renovate renovate Bot changed the title Update security updates [SECURITY] (dev) Update security updates [SECURITY] (dev) - autoclosed Jul 9, 2026
@renovate renovate Bot closed this Jul 9, 2026
@renovate renovate Bot deleted the renovate/dev-security-updates branch July 9, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants