CVE-2020-26303: 
JavaScript vulnerability analysis and mitigation

insane is a whitelist-oriented HTML sanitizer that contains a vulnerability in versions 2.6.2 and prior. The vulnerability involves one or more regular expressions that are susceptible to Regular Expression Denial of Service (ReDoS). This security issue was discovered and reported on November 30, 2020 (GitHub Issue, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from inefficient regular expression patterns that can cause excessive backtracking when processing specially crafted input (NVD).

When exploited, this vulnerability can lead to a denial of service condition by causing excessive CPU usage and potentially freezing the application when processing malicious input. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (Red Hat).

At the time of the vulnerability disclosure, no known patches were available. Users were advised to consider alternative HTML sanitization libraries or implement strict input validation (NVD).

The vulnerability raised concerns in the developer community, with users expressing the need to switch to alternative HTML sanitization libraries. Some developers noted that insane was chosen for its minimal size, and the security issue forced them to consider larger alternatives (GitHub Issue).