logo

Database

Improper resource allocation In express-xss-sanitizer

Description

Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.

Original Descripton

The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. NVD-2025-593642. GCVE-GHSA-qhwp-454g-2gv4

References

1. https://dbugs.ptsecurity.com/vulnerability/PT-2025-374342. https://gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b943. https://www.npmjs.com/package/express-xss-sanitizer

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.