GHSA-qhwp-454g-2gv4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qhwp-454g-2gv4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-qhwp-454g-2gv4/GHSA-qhwp-454g-2gv4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qhwp-454g-2gv4
- Withdrawn
- 2025-09-26T14:38:04Z
- Published
- 2025-09-15T00:30:15Z
- Modified
- 2025-09-26T14:38:04Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.
Original Descripton
The
express-xss-sanitizerpackage for Node.js has an unbounded recursion in thesanitizefunction (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-09-15T20:32:22Z", "severity": "MODERATE", "cwe_ids": [ "CWE-674" ], "nvd_published_at": "2025-09-14T23:15:37Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-59364
- https://dbugs.ptsecurity.com/vulnerability/PT-2025-37434
- https://gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94
- https://github.com/AhmedAdelFahim/express-xss-sanitizer
- https://www.npmjs.com/package/express-xss-sanitizer
- https://www.tenable.com/cve/CVE-2025-59364
Affected packages
npm / express-xss-sanitizer
Package
- Name
- express-xss-sanitizer
- View open source insights on deps.dev
- Purl
- pkg:npm/express-xss-sanitizer