CVE-2019-25225Cross-site Scripting in Sanitize-html

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 86.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apostrophecms Sanitize-html
Timeline
PublishedSep 8

Description

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

npmapostrophecms/sanitize-html< 2.0.0-beta

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
sanitize-html is vulnerable to XSS through incomprehensive sanitization2025-09-08
OSV
CVE-2019-25225: `sanitize-html` prior to version 22025-09-08
CVEList
CVE-2019-25225: `sanitize-html` prior to version 22025-09-08
GHSA
sanitize-html is vulnerable to XSS through incomprehensive sanitization2025-09-08

📋Vendor Advisories

2
Red Hat
sanitize-html: sanitize-html cross site scripting2025-09-08
Debian
CVE-2019-25225: node-sanitize-html - `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scriptin...2019
CVE-2019-25225 — Cross-site Scripting in Sanitize-html | cvebase