league/commonmark Embed Extension Domain Allowlist Bypass Vulnerability

A vulnerability exists in the Embed extension of league/commonmark, specifically in versions 2.3.0 prior to 2.8.2. The issue arises in the DomainFilteringAdapter, where a missing hostname boundary assertion in the domain-matching regex allows for an allowlist bypass. This means that an attacker-controlled domain, such as 'youtube.com.evil', can pass the allowlist check if 'youtube.com' is an allowed domain. The vulnerability has been patched in version 2.8.2.

Impact

Exploitation of this vulnerability bypasses the domain allowlist, leading to potential server-side request forgery (SSRF) and cross-site scripting (XSS) vulnerabilities. The bypassed domain filter can cause the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata. Additionally, an attacker can return arbitrary HTML or JavaScript in an oEmbed response, which is rendered without sanitization, creating an XSS risk.

Reproduction

To reproduce this vulnerability, use league/commonmark versions 2.3.0 to before 2.8.2. Enable the Embed extension and configure the allowed_domains setting to include a domain. Then, provide a URL that includes an attacker-controlled subdomain (e.g., 'example.com.evil') that would bypass the allowlist check. When the URL is processed, the domain filter will incorrectly allow the request, demonstrating the bypass.

Remediation

Users can update to league/commonmark version 2.8.2, where this vulnerability has been patched. The update replaces the regex-based domain check with explicit hostname parsing using parse_url(), ensuring accurate domain matching. For those unable to update, the Embed extension can be disabled or restricted to trusted users.