GHSA-QHWP-454G-2GV4
Vulnerability from github – Published: 2025-09-15 00:30 – Updated: 2025-09-26 14:38
VLAI?
Summary
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.
Original Descripton
The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "express-xss-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T20:32:22Z",
"nvd_published_at": "2025-09-14T23:15:37Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.\n\n## Original Descripton\n\nThe `express-xss-sanitizer` package for Node.js has an unbounded recursion in the `sanitize` function (`lib/sanitize.js`) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., \u201cMaximum call stack size exceeded\u201d). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.",
"id": "GHSA-qhwp-454g-2gv4",
"modified": "2025-09-26T14:38:04Z",
"published": "2025-09-15T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59364"
},
{
"type": "WEB",
"url": "https://dbugs.ptsecurity.com/vulnerability/PT-2025-37434"
},
{
"type": "WEB",
"url": "https://gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94"
},
{
"type": "PACKAGE",
"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/express-xss-sanitizer"
},
{
"type": "WEB",
"url": "https://www.tenable.com/cve/CVE-2025-59364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth",
"withdrawn": "2025-09-26T14:38:04Z"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…