sanitize-html is vulnerable to XSS through incomprehensive sanitization

GHSA-qhxp-v273-g94h · CVE-2019-25225

Published Sep 8, 2025 · Modified Sep 12, 2025

Description

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-25225
WEB https://github.com/apostrophecms/sanitize-html/issues/293
WEB https://github.com/apostrophecms/sanitize-html/pull/156
WEB https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
WEB https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225
PACKAGE https://github.com/apostrophecms/sanitize-html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes