CVE-2026-33979: Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
(updated )
A vulnerability has been identified in express-xss-sanitizer (<= 2.0.1) where restrictive sanitization configurations are silently ignored.
When a developer explicitly sets:
allowedTags: [] allowedAttributes: {}
the library incorrectly treats these values as “not provided” due to length/emptiness checks, and falls back to sanitize-html’s default configuration.
As a result, instead of stripping all HTML tags and attributes, the sanitizer allows a permissive set of tags (e.g., <a>, <p>, <div>, etc.) and attributes (e.g., href on <a>).
This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used.
References
- github.com/AhmedAdelFahim/express-xss-sanitizer
- github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f
- github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2
- github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq
- github.com/advisories/GHSA-3843-rr4g-m8jq
- nvd.nist.gov/vuln/detail/CVE-2026-33979
Code Behaviors & Features
Detect and mitigate CVE-2026-33979 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →