GHSA-qhwp-454g-2gv4: Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.
Original Descripton
The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.
References
- dbugs.ptsecurity.com/vulnerability/PT-2025-37434
- gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94
- github.com/AhmedAdelFahim/express-xss-sanitizer
- github.com/advisories/GHSA-qhwp-454g-2gv4
- nvd.nist.gov/vuln/detail/CVE-2025-59364
- www.npmjs.com/package/express-xss-sanitizer
- www.tenable.com/cve/CVE-2025-59364
Code Behaviors & Features
Detect and mitigate GHSA-qhwp-454g-2gv4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →