CVE-2014-125128
published 2025-09-08CVE-2014-125128: 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.26%
16.8th percentile
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (``), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 1.0.3 | 1.0.3 |
| debian | node-sanitize-html | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-389w-f784-rjg3: 'sanitize-html' prior to version 1
ghsa_unreviewed·2025-09-08
CVE-2014-125128 [MEDIUM] CWE-79 GHSA-389w-f784-rjg3: 'sanitize-html' prior to version 1
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (``), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
OSV
CVE-2014-125128: 'sanitize-html' prior to version 1
osv·2025-09-08·CVSS 6.1
CVE-2014-125128 [MEDIUM] CVE-2014-125128: 'sanitize-html' prior to version 1
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (``), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
Debian
CVE-2014-125128: node-sanitize-html - 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XS...
vendor_debian·2014·CVSS 6.1
CVE-2014-125128 [MEDIUM] CVE-2014-125128: node-sanitize-html - 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XS...
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (``), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02https://github.com/apostrophecms/sanitize-html/issues/1
2025-09-08
Published