Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on express-xss-sanitizer (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.2.
DescriptionGitHub Advisory
Description
A vulnerability has been identified in express-xss-sanitizer (<= 2.0.1) where restrictive sanitization configurations are silently ignored.
When a developer explicitly sets:
allowedTags: [] allowedAttributes: {}
the library incorrectly treats these values as "not provided" due to length/emptiness checks, and falls back to sanitize-html's default configuration.
As a result, instead of stripping all HTML tags and attributes, the sanitizer allows a permissive set of tags ` (e.g., <a>, <p>, <div>, etc.) and attributes (e.g., href on <a>)`.
This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used.
Impact
Developers intending to fully strip HTML content by providing empty allowedTags or allowedAttributes configurations may unknowingly allow a wide range of HTML elements and attributes.
This can result in:
- Injection of unintended HTML content
`(e.g., <div>, <table>, headings)` - Injection of links via
`<a href="...">` - Potential XSS vectors depending on downstream usage
The impact depends on how the sanitized output is rendered or consumed, but the root issue is a mismatch between developer intent and actual behavior.
Proof of Concept
const { sanitize } = require('express-xss-sanitizer');
const sanitizeHtml = require('sanitize-html');
const input = '<a href="http://evil.com">click</a><p>phish</p>';
// Using express-xss-sanitizer (v2.0.1)
sanitize(input, { allowedTags: [], allowedAttributes: {} });
// => '<a href="http://evil.com">click</a><p>phish</p>'
// Expected behavior (sanitize-html directly)
sanitizeHtml(input, { allowedTags: [], allowedAttributes: {} });
// => 'clickphish'Root Cause
The issue was caused by validation logic that checked for non-empty arrays/objects:
- allowedTags required length > 0
- allowedAttributes required Object.keys(...).length > 0
This caused empty configurations ([]) and ({}) to be ignored, resulting in fallback to default permissive settings.
Fix
The validation logic has been updated to respect explicitly provided empty configurations.
Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
AnalysisAI
express-xss-sanitizer versions 2.0.1 and earlier silently ignore restrictive sanitization configurations when developers explicitly set empty allowedTags or allowedAttributes arrays, instead defaulting to permissive HTML allowlists that can enable XSS attacks. The CVSS score of 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible, unauthenticated exploitation with high integrity impact. A public proof-of-concept demonstrating the configuration bypass exists in the GitHub security advisory, showing how input intended to be stripped of all HTML instead preserves anchor tags with href attributes and paragraph elements. No EPSS score or CISA KEV status was provided in the intelligence data.
Technical ContextAI
This vulnerability affects the express-xss-sanitizer npm package (CPE: pkg:npm/express-xss-sanitizer), a Node.js middleware library that wraps sanitize-html for XSS protection in Express applications. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation) manifesting through flawed validation logic. When developers pass empty configuration objects (allowedTags: [] or allowedAttributes: {}) to enforce strict HTML stripping, the library performs length checks that treat empty arrays and objects as unset parameters. This triggers fallback behavior to sanitize-html's default permissive configuration, which allows tags like a, p, div, table, and attributes like href. The discrepancy between developer intent (strip all HTML) and actual behavior (allow default tag set) creates a security boundary violation where content expected to be sanitized remains dangerous.
RemediationAI
Upgrade express-xss-sanitizer to version 2.0.2 or later, which corrects the validation logic to respect explicitly provided empty configurations (see release at https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2 and patch commit at https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f). The vendor advisory is available at https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq and through GitHub's advisory database at https://github.com/advisories/GHSA-3843-rr4g-m8jq. Organizations unable to upgrade immediately should implement compensating controls by calling sanitize-html directly with explicit empty configuration objects rather than relying on express-xss-sanitizer's wrapper, or implement additional output encoding at render time using context-appropriate escaping functions. Review all code locations where empty allowedTags or allowedAttributes configurations were used and verify sanitization behavior matches security requirements.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16876
GHSA-3843-rr4g-m8jq