GHSA-qhwp-454g-2gv4

Описание

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.

Original Descripton

The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.