PT-2025-37434 · Npm · Express-Xss-Sanitizer

Spendroslav

Published

2025-09-14

Updated

2025-09-26

CVE-2025-59364

CVSS v4.0

6.9

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

**Name of the Vulnerable Software and Affected Versions**

express-xss-sanitizer versions through 2.0.0

**Description**

The express-xss-sanitizer package contains an unbounded recursion depth in the `sanitize` function located in `lib/sanitize.js` when processing a JSON request body.

**Recommendations**

Update to a version of express-xss-sanitizer greater than 2.0.0.

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

CVE-2025-59364

GHSA-HVQ2-WF92-J4F3

GHSA-QHWP-454G-2GV4

Affected Products

Express-Xss-Sanitizer

PT-2025-37434 · Npm · Express-Xss-Sanitizer

Weakness Enumeration

Related Identifiers

Affected Products

References · 15