Description
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Published: 2026-03-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via permissive sanitization
Action: Patch Now
AI Analysis

Impact

The Express XSS Sanitizer middleware intended to clean user input incorrectly ignores configurations for allowedTags or allowedAttributes. When these options are provided—even as empty arrays—the middleware passes them directly to a sanitization routine that defaults to permissive behaviour. As a result, malicious scripts injected into request bodies, queries, headers or parameters can bypass the sanitizer, allowing arbitrary JavaScript execution in the victim’s browser. The weakness is a classic cross‑site scripting flaw, corresponding to CWE‑79. The likely attack vector is an attacker who can send crafted HTTP requests to the application, but this conclusion is inferred from the description because the entry does not explicitly state the vector.

Affected Systems

The problem affects the AhmedAdelFahim Express XSS Sanitizer package used as middleware in Express 4.x and 5.x applications. All versions before 2.0.2 are vulnerable; upgrading to 2.0.2 or later resolves the issue. Applications that rely on the package for input sanitization are at risk if they have not applied the patch or if they configure the options incorrectly.

Risk and Exploitability

The CVSS base score of 8.2 classifies the flaw as high‑severity, indicating significant impact on confidentiality, integrity, and availability of the affected web service. The EPSS score is below 1%, suggesting a low probability of current exploitation, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, because the vulnerability enables arbitrary code execution via forged web requests, the potential damage is considerable and the recommended remediation is immediate.

Generated by OpenCVE AI on March 31, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade express‑xss‑sanitizer to version 2.0.2 or later using npm or yarn, ensuring the application code starts using the patched dependency.
  • Verify that configuration options for allowedTags and allowedAttributes are explicitly defined; the patched version now respects empty arrays but misconfiguration can still lead to unintended permissiveness.
  • Run functional tests or automated XSS scanners against the customer‑facing endpoints to confirm that malicious payloads are no longer executed.
  • Maintain a regular patch management schedule to monitor for new releases of the middleware and apply security updates promptly.

Generated by OpenCVE AI on March 31, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3843-rr4g-m8jq Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Express Xss Sanitizer Project
Express Xss Sanitizer Project express Xss Sanitizer
CPEs cpe:2.3:a:express_xss_sanitizer_project:express_xss_sanitizer:*:*:*:*:*:node.js:*:*
Vendors & Products Express Xss Sanitizer Project
Express Xss Sanitizer Project express Xss Sanitizer

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Ahmedadelfahim
Ahmedadelfahim express-xss-sanitizer
Vendors & Products Ahmedadelfahim
Ahmedadelfahim express-xss-sanitizer

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Title Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Weaknesses CWE-183
CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Ahmedadelfahim Express-xss-sanitizer
Express Xss Sanitizer Project Express Xss Sanitizer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:29:43.694Z

Reserved: 2026-03-24T22:20:06.210Z

Link: CVE-2026-33979

cve-icon Vulnrichment

Updated: 2026-03-31T14:29:39.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:22.433

Modified: 2026-03-31T18:24:58.820

Link: CVE-2026-33979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:11:52Z

Weaknesses