Reflected cross-site scripting (XSS) In ammonia
Description
mXSS in ammonia via MathML annotation-xml encoding strip
If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.
The annotation-xml tag has slightly different behavior than the other "integration point"
tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
strip the namespace-incompatible tags.
This vulnerability only has an effect when the math and annotation-xml tags
are both enabled, but the encoding attribute is disabled, because it relies
on the following sequence of steps:
User writes code like <math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.
Namespace filtering checks the DOM, and it passes. <gadget> is parsed as HTML.
Attribute filter strips it down to <math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.
The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.
Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML. These elements are:
title
textarea
xmp
iframe
noembed
noframes
plaintext
noscript
style
script
Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.
Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Component | Affected version | Patched versions |
|---|---|---|---|
cargo | 3.3.2 |
Aliases