CVE-2019-25225
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-09-19

Assigner: Checkmarx

Description
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-09-19
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms sanitize-html to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25225 is a Cross-site Scripting (XSS) vulnerability in the sanitize-html npm package prior to version 2.0.0-beta. The issue arises when using the custom transformTags option, which is intended to convert attribute values into text. The sanitizeHtml() function fails to properly escape or sanitize the text returned from these custom tag transformations. This allows malicious input containing executable HTML or JavaScript code to be injected and executed in the context of a web page, bypassing the intended sanitization. [1, 2, 3]

Impact Analysis

This vulnerability can allow an attacker to inject malicious JavaScript code into user input fields that are processed by sanitize-html with custom tag transformations. When a victim views the affected page, the injected script can execute, leading to Cross-site Scripting (XSS) attacks. This can result in theft of user credentials, session hijacking, defacement, or other malicious actions performed in the context of the victim's browser. [1, 3]

Detection Guidance

This vulnerability can be detected by reviewing the usage of the sanitize-html package in your application, specifically checking if custom transformTags functions are used without proper escaping of transformed text. There are no specific network detection commands provided. To detect vulnerable versions, you can check the installed sanitize-html package version by running the command `npm list sanitize-html` in your project directory. If the version is prior to 2.0.0-beta, it is vulnerable. Additionally, reviewing application code for usage of transformTags without escaping may help identify potential exploitation points. [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade the sanitize-html package to version 2.0.0-beta or later, where the vulnerability has been fixed by properly escaping text returned from custom transformTags functions. If upgrading is not immediately possible, review and modify any custom transformTags implementations to ensure that any text returned is properly escaped before being included in the sanitized output. Avoid using unescaped innerText in transformTags to prevent injection of executable code. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart