Description
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies).
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.12.1
- Patched version(s): 2.12.1
References
- GHSA-rm97-x556-q36h
- security.snyk.io
- lists.fedoraproject.org
- CVE-2024-21501
- CWE-200
- CWE-538
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Sanitize-html Vulnerable To REDoS Attacks - CVE-2022-25887
- Improper Input Validation in sanitize-html - sanitize-html - CVE-2021-26540
- react-native-mmkv Insertion of Sensitive Information into Log File vulnerability - CVE-2024-21668
- sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements - CVE-2026-40186
You might also like:
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on March 22, 2026


