CVE-2020-4054

Name: CVE-2020-4054
Creator: NVD / NIST
Published: 2020-06-16T22:15:10.693+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.3/10EPSS 1.85%

Last modified Jun 17, 2026

CVE-2020-4054 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. EPSS estimates a 1.85% chance of exploitation in the next 30 days.

Description

In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1.

Metrics

CVSS 3.1

7.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Probability

1.85%

76.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Sanitize Project	Sanitize	>= 3.0.0, < 5.2.1

References

https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9Patch, Third Party Advisory
https://github.com/rgrove/sanitize/releases/tag/v5.2.1Release Notes, Third Party Advisory
https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8mThird Party Advisory
https://usn.ubuntu.com/4543-1/
https://www.debian.org/security/2020/dsa-4730
https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9Patch, Third Party Advisory
https://github.com/rgrove/sanitize/releases/tag/v5.2.1Release Notes, Third Party Advisory
https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8mThird Party Advisory
https://usn.ubuntu.com/4543-1/
https://www.debian.org/security/2020/dsa-4730

Timeline

Published: Jun 16, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-4054?

How severe is CVE-2020-4054?

CVE-2020-4054 has a CVSS score of 7.3/10 (HIGH severity). The EPSS model estimates a 1.85% probability of exploitation in the next 30 days.

How do I fix CVE-2020-4054?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-4054?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST