CVE-2025-29771

MEDIUM

HtmlSanitizer < 2.0.3 - Cross-Site Scripting via ContentEditable InnerHTML Injection

Title source: llm

Description

HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x

Patch x_refsource_misc

https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963

View Patch ZIP pw:eip

Scores

CVSS v4 5.3

EPSS 0.0037

EPSS Percentile 29.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

jitbit/htmlsanitizer 0 - 2.0.3npm

jitbit/HtmlSanitizer < 2.0.3

Published Mar 14, 2025

Tracked Since Feb 18, 2026