CVE-2022-25887

high

Description

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

References

Advisories

https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102

https://github.com/apostrophecms/sanitize-html/pull/557

https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c

Details

Source: Mitre, NVD

Published: 2022-08-30

Updated: 2023-08-08

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H