CVE-2022-25887
published 2022-08-30CVE-2022-25887: The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement…
PriorityP434high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.15%
62.9th percentile
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 2.7.1 | 2.7.1 |
| apostrophecms | sanitize-html | >= 0 < 2.7.1 | 2.7.1 |
| apostrophecms | sanitize-html | >= unspecified < 2.7.1 | 2.7.1 |
| debian | node-sanitize-html | < node-sanitize-html 2.7.1+~2.6.2-1 (bookworm) | node-sanitize-html 2.7.1+~2.6.2-1 (bookworm) |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Sanitize-html Vulnerable To REDoS Attacks
osv·2022-08-31
CVE-2022-25887 [HIGH] Sanitize-html Vulnerable To REDoS Attacks
Sanitize-html Vulnerable To REDoS Attacks
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
GHSA
Sanitize-html Vulnerable To REDoS Attacks
ghsa·2022-08-31
CVE-2022-25887 [HIGH] CWE-1333 Sanitize-html Vulnerable To REDoS Attacks
Sanitize-html Vulnerable To REDoS Attacks
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
OSV
CVE-2022-25887: The package sanitize-html before 2
osv·2022-08-30·CVSS 7.5
CVE-2022-25887 [HIGH] CVE-2022-25887: The package sanitize-html before 2
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Ubuntu
Jupyter Notebook vulnerability
vendor_ubuntu·2025-04-28
CVE-2022-25887 Jupyter Notebook vulnerability
Title: Jupyter Notebook vulnerability
Summary: Jupyter Notebook could be made to crash if it received specially crafted
input.
It was discovered that Jupyter Notebook did not properly parse HTML
comments under certain circumstances. An attacker could possibly use this
issue to cause a regular expression denial of service (ReDoS).
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
sanitize-html: insecure global regular expression replacement logic may lead to ReDoS
vendor_redhat·2022-08-30·CVSS 5.3
CVE-2022-25887 [MEDIUM] CWE-185 sanitize-html: insecure global regular expression replacement logic may lead to ReDoS
sanitize-html: insecure global regular expression replacement logic may lead to ReDoS
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
A flaw was found in sanitize-html library. Insecure global regular expression replacement logic of HTML comment removal could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
Package: servicemesh-prometheus (OpenShift Service Mesh 2.0) - Affected
Package: servicemesh-prometheus (OpenShift Service Mesh 2.1) - Fix deferred
Package: rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Affected
Package: automation-controller (Red Hat A
Debian
CVE-2022-25887: node-sanitize-html - The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Deni...
vendor_debian·2022·CVSS 5.3
CVE-2022-25887 [MEDIUM] CVE-2022-25887: node-sanitize-html - The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Deni...
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Scope: local
bookworm: resolved (fixed in 2.7.1+~2.6.2-1)
forky: resolved (fixed in 2.7.1+~2.6.2-1)
sid: resolved (fixed in 2.7.1+~2.6.2-1)
trixie: resolved (fixed in 2.7.1+~2.6.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23chttps://github.com/apostrophecms/sanitize-html/pull/557https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23chttps://github.com/apostrophecms/sanitize-html/pull/557https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
2022-08-30
Published