Karakeep Stored Cross-Site Scripting Vulnerability via Unsanitized Reddit Metascraper Content

A stored cross-site scripting vulnerability has been identified in Karakeep version 0.30.0. The issue arises in the HTML parsing subprocess of the Reddit metascraper plugin, which directly uses the `readableContentHtml` from the response without sanitization through DOMPurify. This omission allows malicious HTML to be executed in the user's browser when the bookmark is accessed. In contrast, content from other sources is properly sanitized before being displayed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the bookmark. This could lead to theft of session cookies and JWT tokens, unauthorized access to the user's bookmarks, lists, and API keys, and potential escalation to admin privileges if an admin user views the bookmark.

Reproduction

To reproduce this vulnerability, bookmark a Reddit post containing malicious HTML, such as an image tag with an `onerror` event. When the bookmark is saved, the metascraper plugin will fetch the post data, decode the HTML entities, and return the `selftext_html` as-is, without any sanitization. This unsanitized content is then stored in the database and executed when the bookmark is opened in the reader view.

Remediation

Users can upgrade to Karakeep version 0.31.0 or later, where this vulnerability has been patched.