Fix CVE–2022–25887

[debricked]

CVE–2022–25887

Vulnerability details

Description

NVD

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

GitLab Advisory Database (Open Source Edition)

Inefficient Regular Expression Complexity

The package sanitize-html before 2.7.1 is vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

References

    NVD - CVE-2022-25887
    npm/sanitize-html/CVE-2022-25887.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    Regular Expression Denial of Service (ReDoS) in org.webjars.npm:sanitize-html | CVE-2022-25887 | Snyk
    Release 2.7.1 by boutell · Pull Request #557 · apostrophecms/sanitize-html · GitHub
    Merge pull request #557 from apostrophecms/release-2.7.1 · apostrophecms/sanitize-html@b4682c1 · GitHub
    Regular Expression Denial of Service (ReDoS) in sanitize-html | CVE-2022-25887 | Snyk
    GitHub - apostrophecms/sanitize-html: Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE