Description
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.1
- Patched version(s): 2.7.1
References
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Improper Input Validation in sanitize-html - CVE-2021-26539
- sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements - CVE-2026-40186
- jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
You might also like:
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on April 22, 2024