Advisories for Npm/Express-Xss-Sanitizer package

2026

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

A vulnerability has been identified in express-xss-sanitizer (<= 2.0.1) where restrictive sanitization configurations are silently ignored. When a developer explicitly sets: allowedTags: [] allowedAttributes: {} the library incorrectly treats these values as "not provided" due to length/emptiness checks, and falls back to sanitize-html's default configuration. As a result, instead of stripping all HTML tags and attributes, the sanitizer allows a permissive set of tags (e.g., <a>, <p>, <div>, etc.) and …

2025

express-xss-sanitizer has an unbounded recursion depth

The sanitize function in lib/sanitize.js performed recursive sanitization without depth limiting, making it vulnerable to stack overflow attacks via specially crafted deeply nested JSON objects.

Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes …

2022

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.