CVE-2022-25887

NameCVE-2022-25887
DescriptionThe package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1019219

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-sanitize-html (PTS)bookworm2.8.0+~2.6.2-1fixed
forky, sid, trixie2.14.0+~2.13.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-sanitize-htmlsource(unstable)2.7.1+~2.6.2-11019219

Notes

https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c (2.7.1)
https://github.com/apostrophecms/sanitize-html/pull/557
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
Search for package or bug name: Reporting problems