A sanitizer bypass in the sanitize-html library allows attackers to inject malicious HTML or JavaScript, leading to stored cross-site scripting (XSS) in dependent applications.

This is a sanitizer bypass vulnerability where content inside a disallowed xmp element is incorrectly processed as live HTML or JavaScript. This occurs in the default disallowedTagsMode: 'discard' path, allowing an attacker to inject malicious code.

With a CVSS score of 9.3, this vulnerability is critical for web applications relying on sanitize-html. Successful exploitation allows for stored XSS, which can be used to hijack user sessions, steal sensitive session cookies, or perform unauthorized actions on behalf of authenticated administrators.

Immediate Action: Update the sanitize-html library dependency to version 2.17.4 or later in all affected project environments.

Proactive Monitoring: Audit application logs for suspicious script injection patterns in user-submitted content fields and monitor for unexpected client-side script execution.

Compensating Controls: Implement a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts if an immediate library update is not feasible.

Public Exploit Available: True

Given the prevalence of this library in web application stacks, developers should prioritize updating to version 2.17.4. Failure to patch leaves applications vulnerable to persistent XSS attacks that can compromise user security.