{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-29771", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-11T14:23:00.474Z", "datePublished": "2025-03-14T18:56:24.504Z", "dateUpdated": "2025-03-18T14:26:06.976Z"}, "containers": {"cna": {"title": "HtmlSanitizer vulnerable to XSS when used with contentEditable", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x"}, {"name": "https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963", "tags": ["x_refsource_MISC"], "url": "https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963"}], "affected": [{"vendor": "jitbit", "product": "HtmlSanitizer", "versions": [{"version": "< 2.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-14T19:06:37.288Z"}, "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3."}], "source": {"advisory": "GHSA-vhv4-fh94-jm5x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-18T14:25:51.723087Z", "id": "CVE-2025-29771", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-18T14:26:06.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-29771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-18T14:25:51.723087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-18T14:25:29.356Z"}}], "cna": {"title": "HtmlSanitizer vulnerable to XSS when used with contentEditable", "source": {"advisory": "GHSA-vhv4-fh94-jm5x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jitbit", "product": "HtmlSanitizer", "versions": [{"status": "affected", "version": "< 2.0.3"}]}], "references": [{"url": "https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x", "name": "https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963", "name": "https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-14T19:06:37.288Z"}}}, "cveMetadata": {"cveId": "CVE-2025-29771", "state": "PUBLISHED", "dateUpdated": "2025-03-18T14:26:06.976Z", "dateReserved": "2025-03-11T14:23:00.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-14T18:56:24.504Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3."}, {"lang": "es", "value": "HtmlSanitizer es un depurador de HTML del lado del cliente. Las versiones anteriores a la 2.0.3 presentan una vulnerabilidad de cross-site scripting cuando se usa con un elemento `contentEditable` para asignar los elementos `innerHTML` a una cadena depurada generada por el paquete. Si el c\u00f3digo est\u00e1 manipulado espec\u00edficamente para abusar del embellecedor de c\u00f3digo, este se ejecuta DESPU\u00c9S de la depuraci\u00f3n. El problema se solucion\u00f3 en la versi\u00f3n 2.0.3."}], "id": "CVE-2025-29771", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-14T19:15:48.847", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb5956963"}, {"source": "security-advisories@github.com", "url": "https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}