CVE-2025-59364: 
JavaScript vulnerability analysis and mitigation

The express-xss-sanitizer (aka Express XSS Sanitizer) package through version 2.0.0 for Node.js contains a denial-of-service vulnerability due to unbounded recursion depth in the sanitize() function located in lib/sanitize.js when processing JSON request bodies (MITRE, GitHub POC). The vulnerability was discovered and disclosed on September 14, 2025.

The vulnerability stems from the sanitize() function's implementation in lib/sanitize.js which recursively traverses arrays and objects without implementing maximum depth limits, node limits, or cycle detection mechanisms. This implementation flaw can trigger a RangeError exception with the message 'Maximum call stack size exceeded' when processing deeply nested JSON payloads. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (MITRE).

When successfully exploited, this vulnerability can lead to denial of service conditions by starving the event loop and causing repeated 500 responses or process termination. The impact primarily affects the availability of applications using the vulnerable express-xss-sanitizer package (GitHub POC).

The vulnerability affects all versions through 2.0.0 of the express-xss-sanitizer package. Users should monitor the project's GitHub repository and npm package page for security updates and new releases that address this vulnerability (Express XSS Sanitizer).