npm package
express-xss-sanitizer
pkg:npm/express-xss-sanitizer
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33979 | Hig | 8.2 | < 2.0.2 | 2.0.2 | Mar 27, 2026 | Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization | |
| CVE-2025-59364 | Med | 5.3 | < 2.0.1 | 2.0.1 | Sep 14, 2025 | The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body. | |
| CVE-2022-21169 | — | < 1.1.3 | 1.1.3 | Sep 26, 2022 | The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. |
- affected < 2.0.2fixed 2.0.2
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization
- affected < 2.0.1fixed 2.0.1
The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body.
- CVE-2022-21169Sep 26, 2022affected < 1.1.3fixed 1.1.3
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.