{ "dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": { "cveId": "CVE-2019-25225", "assignerOrgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647", "state": "PUBLISHED", "assignerShortName": "Checkmarx", "dateReserved": "2025-09-05T16:03:18.243Z", "datePublished": "2025-09-08T10:02:42.945Z", "dateUpdated": "2025-09-08T15:18:19.841Z" }, "containers": { "cna": { "affected": [ { "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "sanitize-html", "versions": [ { "lessThan": "2.0.0-beta", "status": "affected", "version": "0", "versionType": "npm" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.