CVE-2022-21169 is a high-severity vulnerability identified in the npm package express-xss-sanitizer, a middleware used in Node.js applications to sanitize inputs and prevent Cross-Site Scripting (XSS) attacks. The vulnerability arises from a Prototype Pollution flaw via the allowedTags attribute. Prototype Pollution occurs when an attacker is able to manipulate the prototype of a base object, thereby injecting or modifying properties that affect all objects inheriting from that prototype. In this case, the allowedTags attribute, which is intended to specify which HTML tags are permitted during sanitization, can be exploited to alter the prototype chain. This manipulation allows attackers to bypass the sanitization mechanism, effectively enabling them to inject malicious scripts or payloads that would otherwise be filtered out. The vulnerability affects versions of express-xss-sanitizer prior to 1.1.3, though the exact affected versions are unspecified. The CVSS v3.1 base score is 7.3, indicating a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact affects confidentiality, integrity, and availability at a low level, but the exploitability is relatively straightforward. No known exploits in the wild have been reported as of the publication date. The vulnerability is categorized under CWE-1321, which relates to improper handling of prototype pollution issues. This flaw can be leveraged by attackers to bypass XSS protections, potentially leading to client-side code execution, session hijacking, or other malicious activities within web applications using this package.

For European organizations, especially those developing or deploying Node.js web applications that utilize express-xss-sanitizer, this vulnerability poses a significant risk. Exploitation could allow attackers to bypass XSS sanitization, leading to injection of malicious scripts that compromise user data confidentiality and application integrity. This can result in data breaches, unauthorized access, and reputational damage. Organizations in sectors such as finance, healthcare, e-commerce, and government, which handle sensitive personal data under GDPR regulations, face heightened compliance risks and potential legal consequences if exploited. The vulnerability's network accessibility and lack of required privileges mean that remote attackers can exploit it without authentication, increasing the threat surface. Additionally, the ability to bypass sanitization may facilitate further attacks like session hijacking or distribution of malware to end users. Given the widespread use of Node.js in web services across Europe, the impact could be broad, affecting both public-facing applications and internal tools that rely on this package for input sanitization.

European organizations should immediately audit their Node.js applications to identify usage of express-xss-sanitizer. If found, they must upgrade to version 1.1.3 or later where the vulnerability is patched. In cases where upgrading is not immediately feasible, organizations should implement additional input validation and sanitization layers, possibly using alternative well-maintained libraries that do not suffer from prototype pollution issues. Code reviews should focus on ensuring that user-controlled inputs cannot influence prototype properties. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS attacks by restricting script execution sources. Regular dependency scanning and software composition analysis (SCA) tools should be integrated into the development lifecycle to detect vulnerable packages early. Monitoring application logs and web traffic for anomalous behavior indicative of XSS exploitation attempts is also recommended. Finally, educating developers about prototype pollution risks and secure coding practices will reduce the likelihood of similar vulnerabilities in the future.