CVE-2019-25225 — sanitize-html is vulnerable to XSS through incomprehensive sanitization

Description

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

How to fix CVE-2019-25225

To remediate CVE-2019-25225, upgrade the affected package to a fixed version below.

—upgrade to 2.0.0-beta or later

Is CVE-2019-25225 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.0-beta

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-25225
PATCHgithub.com/apostrophecms/sanitize-html
WEBgithub.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
WEBgithub.com/apostrophecms/sanitize-html/issues/293