CVE-2019-25225

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

Published: Sep 8, 2025
Updated: Nov 10, 2025
CVE: CVE-2019-25225
GHSA: GHSA-qhxp-v273-g94h
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sanitize-html	-	2.0.0-beta
apostrophecms / sanitize-html	-	2.0.0

https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
https://github.com/apostrophecms/sanitize-html/issues/293
https://github.com/apostrophecms/sanitize-html/pull/156
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225

Vulnerability Database

CVE-2019-25225

Deep Security Visibility Without the Complexity