Medium severity5.3OSV Advisory· Published Sep 14, 2025· Updated Apr 15, 2026
CVE-2025-59364
CVE-2025-59364
Description
The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
express-xss-sanitizernpm | < 2.0.1 | 2.0.1 |
Affected products
1- Range: V1.2.0, v1.1.0, v1.1.1, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-hvq2-wf92-j4f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59364ghsaADVISORY
- dbugs.ptsecurity.com/vulnerability/PT-2025-37434ghsaWEB
- gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94nvdWEB
- github.com/AhmedAdelFahim/express-xss-sanitizer/commit/62d6542a2a57298da7a2e02de623454007e4f6d6ghsaWEB
- github.com/AhmedAdelFahim/express-xss-sanitizer/pull/23ghsaWEB
- github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-hvq2-wf92-j4f3ghsaWEB
- www.npmjs.com/package/express-xss-sanitizernvdWEB
- www.tenable.com/cve/CVE-2025-59364ghsaWEB
News mentions
0No linked articles in our index yet.