Description
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.1
- Patched version(s): 2.7.1
References
Related Issues
- Directory Traversal in node-simple-router - CVE-2017-16083
- csvjson vulnerable to prototype injection - CVE-2025-57318
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on April 22, 2024