CVE-2025-59364: express-xss-sanitizer has an unbounded recursion depth
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.09832%
CWE
Published
9/15/2025
Updated
9/15/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| express-xss-sanitizer | npm | <= 2.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in the sanitize function in lib/sanitize.js, which is responsible for cleaning user input. This function recursively processes nested objects and arrays. However, it lacks any mechanism to limit the recursion depth. An attacker can exploit this by sending a request with a deeply nested JSON body. When the middleware in index.js passes this malicious input to the prepareSanitize function, which in turn calls sanitize, the uncontrolled recursion leads to a stack overflow, causing the application to crash. This results in a Denial of Service (DoS) vulnerability. The provided gist and the source code of lib/sanitize.js clearly show the recursive nature of the sanitize function without any safeguards.