Express XSS Sanitizer Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Express XSS Sanitizer package, specifically in versions through 2.0.0. The issue arises from an unbounded recursion depth in the 'sanitize' function within 'lib/sanitize.js', which processes JSON request bodies. This flaw allows an unauthenticated remote attacker to send deeply nested JSON, causing a 'RangeError: Maximum call stack size exceeded'. This error disrupts the event loop, leading to repeated 500 responses or process termination.

Impact

Exploitation of this vulnerability causes a 'RangeError: Maximum call stack size exceeded' error, which can starve the event loop and result in process termination or repeated 500 error responses.

Reproduction

To reproduce this vulnerability, send a JSON request body that is deeply nested. The 'sanitize' function will recursively process the JSON without any depth limit, cycle detection, or node limit, leading to a stack overflow error.