Description
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.1
- Patched version(s): 2.7.1
References
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
- Cross-Site Scripting in sanitize-html (GHSA-3j7m-hmh3-9jmp) - CVE-2016-1000237
- sanitize-html Information Exposure vulnerability - CVE-2024-21501
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on April 22, 2024