Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33979

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Back to all
CVE

CVE-2026-33979

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Description

A vulnerability has been identified in express-xss-sanitizer (<= 2.0.1) where restrictive sanitization configurations are silently ignored.

When a developer explicitly sets:

  allowedTags: []

  allowedAttributes: {}

the library incorrectly treats these values as "not provided" due to length/emptiness checks, and falls back to sanitize-html's default configuration.

As a result, instead of stripping all HTML tags and attributes, the sanitizer allows a permissive set of tags  (e.g., <a>, <p>, <div>, etc.) and attributes (e.g., href on <a>).

This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used.

 Impact

Developers intending to fully strip HTML content by providing empty allowedTags or allowedAttributes configurations may unknowingly allow a wide range of HTML elements and attributes.

This can result in:

  • Injection of unintended HTML content (e.g., <div>, <table>, headings)
  • Injection of links via <a href="...">
  • Potential XSS vectors depending on downstream usage

The impact depends on how the sanitized output is rendered or consumed, but the root issue is a mismatch between developer intent and actual behavior.

Proof of Concept

const { sanitize } = require('express-xss-sanitizer');
const sanitizeHtml = require('sanitize-html');
const input = '<a href="http://evil.com">click</a><p>phish</p>';
// Using express-xss-sanitizer (v2.0.1)
sanitize(input, { allowedTags: [], allowedAttributes: {} });
// => '<a href="http://evil.com">click</a><p>phish</p>'
// Expected behavior (sanitize-html directly)
sanitizeHtml(input, { allowedTags: [], allowedAttributes: {} });
// => 'clickphish'

Root Cause

The issue was caused by validation logic that checked for non-empty arrays/objects:

  • allowedTags required length > 0
  • allowedAttributes required Object.keys(...).length > 0

This caused empty configurations ([]) and ({}) to be ignored, resulting in fallback to default permissive settings.

Fix

The validation logic has been updated to respect explicitly provided empty configurations.

Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Related Resources

No items found.

References

https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq, https://nvd.nist.gov/vuln/detail/CVE-2026-33979, https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f, https://github.com/AhmedAdelFahim/express-xss-sanitizer, https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2

Severity

8.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.2
EPSS Probability
0.00021%
EPSS Percentile
0.05971%
Introduced Version
0,1.1.0,1.0.0
Fix Available
2.0.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading