CVE-2025-29771: JS Html Sanitizer allows XSS when used with contentEditable

March 14, 2025 (updated October 31, 2025)

XSS vulnerability when the sanitizer is used with a contentEditable element to set the elements innerHTML to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation.

References

github.com/advisories/GHSA-vhv4-fh94-jm5x
github.com/jitbit/HtmlSanitizer
github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963
github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x
nvd.nist.gov/vuln/detail/CVE-2025-29771

Code Behaviors & Features

Detect and mitigate CVE-2025-29771 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →