Skip to content

Security patches (release/2.1)#351

Open
renovate[bot] wants to merge 1 commit into
release/2.1from
renovate/release/2.1-security-patches
Open

Security patches (release/2.1)#351
renovate[bot] wants to merge 1 commit into
release/2.1from
renovate/release/2.1-security-patches

Conversation

@renovate

@renovate renovate Bot commented Jul 9, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
ammonia dependencies patch 4.1.24.1.3
anyhow dependencies patch 1.0.1021.0.103

mXSS in ammonia via MathML annotation-xml encoding strip

GHSA-9jh8-v38h-cvhr / RUSTSEC-2026-0193

More information

Details

If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.

The annotation-xml tag has slightly different behavior than the other "integration point"
tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
strip the namespace-incompatible tags.

This vulnerability only has an effect when the math and annotation-xml tags
are both enabled, but the encoding attribute is disabled, because it relies
on the following sequence of steps:

  1. User writes code like <math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.
  2. Namespace filtering checks the DOM, and it passes. <gadget> is parsed as HTML.
  3. Attribute filter strips it down to <math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.
  4. The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.

Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML.
These elements are:

  • title
  • textarea
  • xmp
  • iframe
  • noembed
  • noframes
  • plaintext
  • noscript
  • style
  • script

Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.


Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Unsoundness in Error::downcast_mut()

RUSTSEC-2026-0190

More information

Details

Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via Error::context and then later calls Error::downcast_mut on the returned Error.

The flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.

Example
use anyhow::Error;
use std::fmt;

#[derive(Debug)]
struct ErrorContext(&'static str);

impl fmt::Display for ErrorContext {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

fn main() {
    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
    let context: &mut ErrorContext = error.downcast_mut().unwrap();
    context.0 = "new context";
    println!("{:?}", error);
}
Miri output
error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
   --> src/ptr.rs:170:18
    |
170 |         unsafe { &mut *self.ptr.as_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
   --> src/ptr.rs:89:18
    |
 89 |             ptr: NonNull::from(ptr),
    |                  ^^^^^^^^^^^^^^^^^^
    = note: stack backtrace:
            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
                at src/ptr.rs:170:18: 170:41
            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
                at src/error.rs:560:18: 560:46
            2: main
                at examples/downcast_mut.rs:15:38: 15:58

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Configuration

📅 Schedule: (in timezone Europe/Warsaw)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate security labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants