Unbounded Recursion Vulnerability in Express XSS Sanitizer for Node.js
CVE-2025-59364

5.3MEDIUM

Key Information:

Vendor: Express Xss Sanitizer Project
Status: Express Xss Sanitizer
Vendor: CVE Published:; 14 September 2025

🔔 Create Express Xss Sanitizer Project Vulnerability Alert

What is CVE-2025-59364?

The Express XSS Sanitizer package for Node.js, up to version 2.0.0, is vulnerable to an unbounded recursion issue in its 'sanitize' function found in lib/sanitize.js. This vulnerability can be exploited through specially crafted JSON request bodies, leading to potential denial of service and degradation of application performance. Developers using this package should review their implementations and upgrade to secure versions to mitigate risks.

Affected Version(s)

Express XSS Sanitizer 2.0.0

References

https://github.com/AhmedAdelFahim/express-xss-sanitizer

https://www.npmjs.com/package/express-xss-sanitizer

https://gist.github.com/Spendroslav/177804eaef5acfb222a55...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2025
Vulnerability Reserved
Sep 14, 2025