Miggo Logo
Miggo Vulnerability Database
CVE-2025-59364

CVE-2025-59364: express-xss-sanitizer has an unbounded recursion depth

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-59364
GHSA ID
GHSA-qhwp-454g-2gv4
EPSS Score
0.09832%
CWE
CWE-674
Published
9/15/2025
Updated
9/15/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
express-xss-sanitizernpm<= 2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the sanitize function in lib/sanitize.js, which is responsible for cleaning user input. This function recursively processes nested objects and arrays. However, it lacks any mechanism to limit the recursion depth. An attacker can exploit this by sending a request with a deeply nested JSON body. When the middleware in index.js passes this malicious input to the prepareSanitize function, which in turn calls sanitize, the uncontrolled recursion leads to a stack overflow, causing the application to crash. This results in a Denial of Service (DoS) vulnerability. The provided gist and the source code of lib/sanitize.js clearly show the recursive nature of the sanitize function without any safeguards.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *xpr*ss-xss-s*nitiz*r (*k* *xpr*ss XSS S*nitiz*r) p**k*** t*rou** *.*.* *or No**.js **s *n un*oun*** r**ursion **pt* in s*nitiz* in li*/s*nitiz*.js *or * JSON r*qu*st *o*y.

Reasoning

T** vuln*r**ility li*s in t** `s*nitiz*` *un*tion in `li*/s*nitiz*.js`, w*i** is r*sponsi*l* *or *l**nin* us*r input. T*is *un*tion r**ursiv*ly pro**ss*s n*st** o*j**ts *n* *rr*ys. *ow*v*r, it l**ks *ny m****nism to limit t** r**ursion **pt*. *n *tt*