CVE-2019-25225
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-19
Assigner: Checkmarx
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | sanitize-html | to 2.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25225 is a Cross-site Scripting (XSS) vulnerability in the sanitize-html npm package prior to version 2.0.0-beta. The issue arises when using the custom transformTags option, which is intended to convert attribute values into text. The sanitizeHtml() function fails to properly escape or sanitize the text returned from these custom tag transformations. This allows malicious input containing executable HTML or JavaScript code to be injected and executed in the context of a web page, bypassing the intended sanitization. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject malicious JavaScript code into user input fields that are processed by sanitize-html with custom tag transformations. When a victim views the affected page, the injected script can execute, leading to Cross-site Scripting (XSS) attacks. This can result in theft of user credentials, session hijacking, defacement, or other malicious actions performed in the context of the victim's browser. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the usage of the sanitize-html package in your application, specifically checking if custom transformTags functions are used without proper escaping of transformed text. There are no specific network detection commands provided. To detect vulnerable versions, you can check the installed sanitize-html package version by running the command `npm list sanitize-html` in your project directory. If the version is prior to 2.0.0-beta, it is vulnerable. Additionally, reviewing application code for usage of transformTags without escaping may help identify potential exploitation points. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the sanitize-html package to version 2.0.0-beta or later, where the vulnerability has been fixed by properly escaping text returned from custom transformTags functions. If upgrading is not immediately possible, review and modify any custom transformTags implementations to ensure that any text returned is properly escaped before being included in the sanitized output. Avoid using unescaped innerText in transformTags to prevent injection of executable code. [2, 3]