CVE-2021-33391 – CVE-2021-33391 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-33391?

CVE-2021-33391 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33391 is a use-after-free vulnerability in HTACG HTML Tidy that allows attackers to execute arbitrary code via the -g option in the CleanNode() function. This affects systems using vulnerable versions of HTML Tidy for HTML parsing or cleanup. Attackers can achieve remote code execution with high privileges.

📋 TL;DR

CVE-2021-33391 is a use-after-free vulnerability in HTACG HTML Tidy that allows attackers to execute arbitrary code via the -g option in the CleanNode() function. This affects systems using vulnerable versions of HTML Tidy for HTML parsing or cleanup. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:

HTACG HTML Tidy
Applications embedding HTML Tidy library
Systems using tidy command-line tool

Versions: v5.7.28 and earlier versions

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or script that calls HTML Tidy with untrusted input is vulnerable. The -g option is part of the CleanNode() function in gdoc.c.

📦 What is this software?

Tidy by Htacg

View all CVEs affecting Tidy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root/admin privileges leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and exploit prevention controls in place.

🌐 Internet-Facing: HIGH - Web applications using HTML Tidy for input sanitization are directly exposed to remote exploitation.

🏢 Internal Only: MEDIUM - Internal tools or scripts using HTML Tidy could be exploited through internal attacks or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a widely used library with public proof-of-concept available. Exploitation requires feeding malicious input to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.8.0 and later

Vendor Advisory: https://github.com/htacg/tidy-html5/issues/946

Restart Required: Yes

Instructions:

1. Update HTML Tidy to version 5.8.0 or later. 2. For package managers: 'apt update && apt upgrade tidy' (Debian/Ubuntu) or 'yum update tidy' (RHEL/CentOS). 3. Recompile applications using the library. 4. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation before passing data to HTML Tidy functions

Disable Vulnerable Function

all

Avoid using the -g option or CleanNode() function with untrusted input

🧯 If You Can't Patch

Implement network segmentation to isolate systems using HTML Tidy
Apply strict input validation and sanitization before HTML Tidy processing

🔍 How to Verify

Check if Vulnerable:

Check HTML Tidy version with 'tidy -v' or examine application dependencies for versions <= 5.7.28

Check Version:

tidy -v

Verify Fix Applied:

Confirm version is 5.8.0 or later with 'tidy -v' and test with known malicious inputs

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from web server context
Crash logs from HTML Tidy processes
Memory corruption errors in application logs

Network Indicators:

Unusual outbound connections from web servers
Exploit kit traffic patterns

SIEM Query:

process_name:tidy AND (event_type:crash OR parent_process:web_server)

📊 Metadata

CVE ID: CVE-2021-33391

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 17, 2023

Last Updated: March 18, 2025

🔗 References

https://github.com/htacg/tidy-html5/issues/946 Exploit,Patch
https://github.com/htacg/tidy-html5/issues/946 Exploit,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33391, you might also want to check these: