Key Information Vulnerability Description Vulnerability Type: XSS (Cross-Site Scripting) Cause: Bypassing sanitizer via overlapping patterns (multi-character replacement) Affected Package: @mathharo/promptcraft-sanitize Affected Versions: >=0.1.0 Fixed Version: None Impact CVSS v3 Base Metrics: - Severity: High (8.2/10) - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None CVE ID: CVE-2025-58353 Weaknesses: CWE-20, CWE-80, CWE-116, CWE-184 Impact Details Summary: uses regex-based blacklist sanitization (e.g., , , and ) to clean user input. Since these are multi-character tokens, each replacement is applied only once. Removing one instance may create a new dangerous token due to overlapping patterns. The "cleaned" value may still contain executable payloads; when used in or injected into the DOM, this can lead to XSS. Remediation Recommendations Preferred: Use well-tested sanitizers (e.g., DOMPurify in browsers or sanitize-html in Node.js). If using regex: Apply replacements repeatedly until the string stabilizes (or switch to character-level filtering). Example code for minimal safe mode is provided. Additional Recommendations: - Do not pass untrusted strings to . - When constructing values, prefer whitelisted safe URLs.