Description
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.1
- Patched version(s): 2.7.1
References
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Cross-Site Scripting in sanitize-html (GHSA-3j7m-hmh3-9jmp) - CVE-2016-1000237
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) (GHSA-545q-3fg6-48m7) - CVE-2021-23346
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on April 22, 2024