VDB

CVE-2019-25225

CVE-2019-25225 PUBLISHED

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

EPSS 0.08% · 23.6th percentile

Risk Scores

EPSS Score
0.08%
23.6th percentile

Affected Products

VendorProductVersions
Ubuntu:24.04:LTSnode-sanitize-html0, 2.8.0+~2.6.2-1
Ubuntu:22.04:LTSnode-sanitize-html0, 2.6.1-1
Ubuntu:25.10node-sanitize-html0, 2.14.0+~2.13.0-1

Exploit Intelligence

…and 4 more exploits

Timeline

  • Sep 8, 2025 CVE Published
  • Sep 8, 2025 EPSS Score
  • Sep 8, 2025 PoC Published
  • Sep 12, 2025 CVE Updated
  • Sep 14, 2025 PoC Published
  • Sep 15, 2025 EPSS Score
  • Sep 23, 2025 EPSS Score
  • Sep 30, 2025 EPSS Score
  • Oct 8, 2025 EPSS Score
  • Oct 15, 2025 EPSS Score
  • Oct 22, 2025 EPSS Score
  • Oct 30, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›