CVE-2019-25225 – This vulnerability in sanitize-html allows atta... (How to Fix)

📋 TL;DR

This vulnerability in sanitize-html allows attackers to inject malicious scripts through the custom transformTags option, bypassing HTML sanitization. It affects applications using sanitize-html versions before 2.0.0-beta to clean user-generated content. Developers who rely on this library for XSS protection are impacted.

💻 Affected Systems

Products:

sanitize-html

Versions: All versions prior to 2.0.0-beta

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the custom transformTags option. Default configuration without this option is not affected.

📦 What is this software?

Sanitize Html by Apostrophecms

View all CVEs affecting Sanitize Html →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, or data exfiltration through persistent XSS attacks on all users accessing affected content.

🟠

Likely Case

Limited XSS attacks affecting users who view malicious content, potentially leading to session theft or client-side attacks.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented alongside sanitize-html, or if transformTags option is not used.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub repository. Exploitation requires attacker to control input that gets processed with transformTags option.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0-beta and later

Vendor Advisory: https://github.com/apostrophecms/sanitize-html/issues/293

Restart Required: No

Instructions:

1. Update sanitize-html to version 2.0.0-beta or later using npm: npm update sanitize-html@latest
2. Verify the update with: npm list sanitize-html
3. Test that transformTags functionality still works as expected with safe inputs.

🔧 Temporary Workarounds

Disable transformTags option

all

Remove or disable the custom transformTags configuration in sanitize-html usage

Implement additional input validation

all

Add server-side validation to reject suspicious HTML patterns before sanitize-html processing

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Use alternative HTML sanitization libraries like DOMPurify alongside sanitize-html

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list sanitize-html | grep sanitize-html

Check Version:

npm list sanitize-html | grep sanitize-html

Verify Fix Applied:

Verify installed version is 2.0.0-beta or higher: npm list sanitize-html

📡 Detection & Monitoring

Log Indicators:

Unusual HTML patterns in user inputs, especially with script tags or event handlers

Network Indicators:

Unexpected JavaScript execution from user-generated content

SIEM Query:

Search for web application logs containing suspicious HTML patterns when transformTags is used

📊 Metadata

CVE ID: CVE-2019-25225

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.4th percentile)

Published: September 8, 2025

Last Updated: September 19, 2025

🔗 References

https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225 Exploit,Third Party Advisory
https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3 Patch
https://github.com/apostrophecms/sanitize-html/issues/293 Issue Tracking,Vendor Advisory
https://github.com/apostrophecms/sanitize-html/pull/156 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25225, you might also want to check these: