Critical XSS Sanitizer Bypass Vulnerability Patched in express-xss-sanitizer v2.0.2

A security vulnerability has been identified in express-xss-sanitizer, a widely-used Node.js middleware for sanitizing cross-site scripting (XSS) inputs in Express applications. The flaw, tracked as CVE-2026-33979 and documented under GitHub Security Advisory GHSA-3843-rr4g-m8jq, involves a bypass in the allowedTags and allowedAttributes sanitization mechanisms. The vulnerability enables permissive sanitization, potentially allowing malicious scripts to bypass filtering and execute in client browsers. Version 2.0.2 has been released to address this issue.

The vulnerability specifically affects the library's core sanitization logic, where attackers could manipulate input to circumvent tag and attribute allowlists. This creates a risk for applications that rely on express-xss-sanitizer to protect user-generated content, API endpoints, or any user-controlled data streams. The flaw is particularly concerning given the library's role as a defensive layer in the request processing pipeline.

Developers using express-xss-sanitizer versions 2.0.1 and earlier are strongly advised to upgrade to v2.0.2 immediately. Applications that cannot update should implement additional input validation layers as a temporary mitigation. The NVD and GitHub Advisory Database both contain detailed technical analysis for security teams assessing exposure. Given the library's position in the request chain, any successful exploitation could compromise the confidentiality and integrity of affected application sessions.