6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25225

GHSA ID

GHSA-qhxp-v273-g94h

EPSS Score

0.07158%

CWE

CWE-79

Published

9/8/2025

Updated

9/12/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-25225

CVE-2019-25225: sanitize-html is vulnerable to XSS through incomprehensive sanitization

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25225

GHSA ID

GHSA-qhxp-v273-g94h

EPSS Score

0.07158%

CWE

CWE-79

Published

9/8/2025

Updated

9/12/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sanitize-html	npm	< 2.0.0-beta	2.0.0-beta

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the sanitize-html library, specifically within the main sanitizeHtml function in index.js. The advisory and commit details point to an XSS vulnerability when using the transformTags option. The provided commit 712cb6895825c8bb6ede71a16b42bade42abcaf3 clearly shows the fix. The change from result += frame.innerText; to result += escapeHtml(frame.innerText); pinpoints the exact location of the vulnerability. The frame.innerText is populated by the text property returned by a custom transformTags function. Before the patch, this text was not sanitized, allowing for the injection of arbitrary HTML and script content. The added test case in test/test.js further confirms this scenario by demonstrating how a malicious value in an attribute can be transformed into unescaped text content, leading to an XSS payload. Therefore, the sanitizeHtml function is the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`s*nitiz*-*tml` prior to v*rsion *.*.*-**t* is vuln*r**l* to *ross-sit* S*riptin* (XSS). T** `s*nitiz**tml()` *un*tion in `in**x.js` *o*s not s*nitiz* *ont*nt w**n usin* t** *ustom `tr*ns*ormT**s` option, w*i** is int*n*** to *onv*rt *ttri*ut* v*lu*s

Reasoning

T** vuln*r**ility li*s in t** `s*nitiz*-*tml` li*r*ry, sp**i*i**lly wit*in t** m*in `s*nitiz**tml` *un*tion in `in**x.js`. T** **visory *n* *ommit **t*ils point to *n XSS vuln*r**ility w**n usin* t** `tr*ns*ormT**s` option. T** provi*** *ommit `*****

6.1

Basic Information

Concerned about an active attack path?

CVE-2019-25225: sanitize-html is vulnerable to XSS through incomprehensive sanitization

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI