CVE-2019-25225
Cross-site Scripting (XSS) vulnerability in sanitize-html (npm)
What is CVE-2019-25225 About?
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function fails to properly sanitize content when using the `transformTags` option, allowing malicious input to be executed as code.
Affected Software
Technical Details
The sanitize-html library, specifically in versions prior to 2.0.0-beta, is susceptible to Cross-site Scripting (XSS) due to an oversight in its sanitizeHtml() function implementation. When the custom transformTags option is utilized, which is intended to convert attribute values into text, the function does not adequately sanitize the content during this transformation process. This flaw means that if an attacker provides malicious input containing executable code (e.g., JavaScript) that is subsequently processed by sanitizeHtml() with the transformTags option, the malicious code can be improperly transformed or passed through. As a result, when the output is rendered in a web browser, the attacker's code will be executed, leading to an XSS attack.
What is the Impact of CVE-2019-25225?
Successful exploitation may allow attackers to execute arbitrary client-side script code in the context of the user's browser, leading to session hijacking, defacement, sensitive data disclosure, or further client-side attacks.
What is the Exploitability of CVE-2019-25225?
Exploitation requires an attacker to submit malicious input to an application that uses the vulnerable sanitize-html library with the transformTags option enabled and renders user-supplied content. The complexity is low to moderate, depending on the specific transformTags configuration and the attacker's ability to craft a bypass. No authentication is strictly required if the input point is publicly accessible (e.g., a comment form). This is a remote, client-side vulnerability. The attacker must find a way to inject malicious data into an application that uses the vulnerable sanitization, and a user must then view that crafted content. The prevalence of user-generated content and the widespread use of sanitization libraries in web applications increase the likelihood of finding vulnerable instances.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-25225?
Available Upgrade Options
- sanitize-html
- <2.0.0-beta → Upgrade to 2.0.0-beta
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apostrophecms/sanitize-html/pull/156
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225
- https://github.com/apostrophecms/sanitize-html/issues/293
- https://github.com/apostrophecms/sanitize-html
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225
- https://osv.dev/vulnerability/GHSA-qhxp-v273-g94h
- https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
- https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
- https://nvd.nist.gov/vuln/detail/CVE-2019-25225
- https://github.com/apostrophecms/sanitize-html/issues/293
What are Similar Vulnerabilities to CVE-2019-25225?
Similar Vulnerabilities: CVE-2017-1000020 , CVE-2018-12507 , CVE-2019-10747 , CVE-2020-7609 , CVE-2021-23398
