VDB
CVE-2014-125128
CVE-2014-125128
PUBLISHED
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
EPSS 0.08% · 23.5th percentile
Risk Scores
EPSS Score
0.08%
23.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | node-sanitize-html | 0, 2.6.1-1 |
| Ubuntu:24.04:LTS | node-sanitize-html | 0, 2.8.0+~2.6.2-1 |
| Ubuntu:25.10 | node-sanitize-html | 0, * |
Exploit Intelligence
- CIRCL seen: CVE-2014-125128 (circl-sighting)
- https://github.com/apostrophecms/sanitize-html/issues/1 (circl)
- https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02 (circl)
- https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86 (circl)
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128 (cve.org)
Timeline
- Sep 8, 2025 EPSS Score
- Sep 8, 2025 CVE Published
- Sep 8, 2025 PoC Published
- Sep 15, 2025 EPSS Score
- Sep 23, 2025 EPSS Score
- Sep 30, 2025 EPSS Score
- Oct 8, 2025 EPSS Score
- Oct 15, 2025 EPSS Score
- Oct 23, 2025 EPSS Score
- Oct 30, 2025 EPSS Score
- Nov 7, 2025 EPSS Score
- Nov 14, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-125128 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-125128 third-party-advisory
- https://github.com/apostrophecms/sanitize-html/issues/1 third-party-advisory
- https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02 third-party-advisory
- https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86 third-party-advisory
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128 third-party-advisory