express-xss-sanitizer has an unbounded recursion depth
The sanitize function in lib/sanitize.js performed recursive sanitization without depth limiting, making it vulnerable to stack overflow attacks via specially crafted deeply nested JSON objects.
Advisories for Npm/Express-Xss-Sanitizer package
2025
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes …
2022
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.