High severityNVD Advisory· Published Aug 30, 2022· Updated Sep 17, 2024

Regular Expression Denial of Service (ReDoS)

CVE-2022-25887

Description

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

sanitize-html before 2.7.1 is vulnerable to ReDoS due to an insecure regex for HTML comment removal, allowing attackers to cause a denial of service.

Vulnerability

Description

CVE-2022-25887 is a Regular Expression Denial of Service (ReDoS) vulnerability in the npm package sanitize-html versions prior to 2.7.1 [1][2]. The root cause is an insecure global regular expression replacement logic used for removing HTML comments, specifically the pattern  applied with the g flag [1][4]. This regex can be exploited by providing crafted input that causes catastrophic backtracking, leading to excessive CPU consumption [2][3].

Exploitation

An attacker can trigger this vulnerability by submitting specially crafted HTML containing nested or malformed comment structures to any application that uses the vulnerable version of sanitize-html for input sanitization [1][2]. The attack requires no special privileges; it is a network-based vector where the attacker sends a malicious payload as part of user-supplied content [2][3]. Once processed, the regular expression engine enters a state of exponential backtracking, effectively freezing the Node.js event loop [2][3].

Impact

Successful exploitation results in a denial of service (DoS) condition, making the application unresponsive to legitimate users [1][2]. Since sanitize-html is commonly used to clean user-generated HTML in web applications, this vulnerability can affect many sites [1][2]. The impact is rated with a CVSS 3.1 base score of 7.5 (High) due to the low complexity and network accessibility [1].

Mitigation

The vulnerability is fixed in sanitize-html version 2.7.1 [1][4]. The fix replaces the global regex with a non-regex loop that safely removes comments by finding sequential  markers [4]. Users are advised to update immediately; no workarounds are documented [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sanitize-htmlnpm	< 2.7.1	2.7.1

Affected products

ghsa-coords
pkg:npm/sanitize-html
Range: < 2.7.1
Apostrophecms/Sanitize HTMLv5
Range: unspecified

Patches

b4682c12fd30

Merge pull request #557 from apostrophecms/release-2.7.1

https://github.com/apostrophecms/sanitize-htmlTom BoutellJul 20, 2022via ghsa

commit

3 files changed · +16 −3

CHANGELOG.md+4 −1 modified

@@ -1,6 +1,9 @@
 # Changelog
 
-- Protocol-relative URLs are properly supported for script tags
+## 2.7.1 (2022-07-20)
+
+- Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
+- A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.
 
 ## 2.7.0 (2022-02-04)

index.js+11 −1 modified

@@ -612,7 +612,17 @@ function sanitizeHtml(html, options, _recursing) {
     // Clobber any comments in URLs, which the browser might
     // interpret inside an XML data island, allowing
     // a javascript: URL to be snuck through
-    href = href.replace(/<!--.*?-->/g, '');
+    while (true) {
+      const firstIndex = href.indexOf('<!--');
+      if (firstIndex === -1) {
+        break;
+      }
+      const lastIndex = href.indexOf('-->', firstIndex + 4);
+      if (lastIndex === -1) {
+        break;
+      }
+      href = href.substring(0, firstIndex) + href.substring(lastIndex + 3);
+    }
     // Case insensitive so we don't get faked out by JAVASCRIPT #1
     // Allow more characters after the first so we don't get faked
     // out by certain schemes browsers accept

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "sanitize-html",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
   "sideEffects": false,
   "main": "index.js",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cgfm-xwp7-2cvrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25887ghsaADVISORY
github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23cghsax_refsource_MISCWEB
github.com/apostrophecms/sanitize-html/pull/557ghsax_refsource_MISCWEB
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102ghsax_refsource_MISCWEB
security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000