Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations.
Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Express_Xss_Sanitizer_Project Express_Xss_Sanitizer
cpe:2.3:a:express_xss_sanitizer_project:express_xss_sanitizer:*:*:*:*:*:node.js:*:*
|
— |
2.0.2
|
References 3
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf09…
security-advisories@github.com
https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2
security-advisories@github.com
https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHS…
security-advisories@github.com