CVE-2025-29771

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-29771

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-29771.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-29771

Aliases

GHSA-vhv4-fh94-jm5x

Published

2025-03-14T19:15:48Z

Modified

2025-03-17T05:50:19.447114Z

Summary

[none]

Details

HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a contentEditable element to set the elements innerHTML to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3.

References

Affected packages

Git / github.com/jitbit/htmlsanitizer

Affected ranges

Type: GIT
Repo: https://github.com/jitbit/htmlsanitizer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

af6d2a78877e7277cd01c825b7fb50edb5956963

Affected versions

1.*

1.0.0

1.0.1

2.*

2.0.0

2.0.1

2.0.2