Volerion logoVolerion
Volerion logoVolerion

sanitize-html Cross-Site Scripting Vulnerability

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in the npm package sanitize-html, in versions prior to 2.0.0-beta. The issue arises in the sanitizeHtml() function, which fails to properly sanitize content when the custom transformTags option is used. This oversight allows malicious input to be transformed into executable code, potentially leading to XSS attacks.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, install a vulnerable version of sanitize-html (such as 1.27.4) and use the sanitizeHtml function with custom tag transformations that include unsanitized user input. The injected JavaScript, such as an alert, will execute when the sanitized HTML is rendered in a browser.

Remediation

Users can upgrade to sanitize-html version 2.0.0-beta or later, where this vulnerability has been addressed.

Added: Sep 8, 2025, 10:18 AM
Updated: Sep 8, 2025, 4:51 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
1.7
exploitability
7.9
remediation
7.7
relevance
0.5
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.