CVE-2025-29771 MEDIUM

CVE-2025-29771: HtmlSanitizer vulnerable to XSS when used with contentEditable

Vendor Jitbit
Product HtmlSanitizer
Weakness CWE-79 · XSS
Published March 14, 2025
Last update March 18, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3.

Key dates

02Disclosure timeline

March 14, 2025 CVE published
March 18, 2025 Record updated