Description
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.1
- Patched version(s): 2.7.1
References
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346
- LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex - CVE-2026-45617
You might also like:
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on April 22, 2024


