CVE-2025-59364 identifies a vulnerability in the Express XSS Sanitizer package for Node.js, specifically version 2.0.0. The vulnerability is classified under CWE-674, which pertains to uncontrolled recursion. The issue arises in the sanitize function located in lib/sanitize.js, which processes JSON request bodies. Due to unbounded recursion depth, an attacker can craft a malicious JSON payload that triggers excessive recursive calls within the sanitizer. This can lead to a denial-of-service (DoS) condition by exhausting the call stack or system resources, causing the application to crash or become unresponsive. The vulnerability does not impact confidentiality or integrity directly, as it does not allow code injection or data manipulation beyond the recursion issue. Exploitation requires no privileges or user interaction and can be triggered remotely over the network by sending a specially crafted JSON request to a vulnerable server using Express XSS Sanitizer 2.0.0. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights the risk of insufficient input validation and recursion control in security-critical libraries that sanitize user input to prevent cross-site scripting (XSS) attacks.

For European organizations, the primary impact of this vulnerability is the potential for denial-of-service attacks against web applications that utilize the Express XSS Sanitizer package version 2.0.0. Such DoS attacks can disrupt business operations, degrade service availability, and damage reputation, especially for organizations relying on Node.js-based web services for customer-facing portals, APIs, or internal tools. While the vulnerability does not lead to data breaches or unauthorized data modification, service outages can result in financial losses and compliance issues under regulations like GDPR if service interruptions affect data processing or availability commitments. Organizations in sectors with high availability requirements, such as finance, healthcare, and e-commerce, are particularly vulnerable. Additionally, the ease of exploitation without authentication or user interaction increases the attack surface, making automated scanning and exploitation feasible by threat actors. The lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

To mitigate this vulnerability, European organizations should first identify any usage of the Express XSS Sanitizer package version 2.0.0 within their Node.js applications. Given no official patch is currently linked, organizations should consider the following specific actions: 1) Temporarily disable or replace the Express XSS Sanitizer with alternative, well-maintained sanitization libraries that do not exhibit uncontrolled recursion behavior. 2) Implement input validation and size limits on JSON request bodies at the application or API gateway level to prevent excessively nested or large payloads that could trigger recursion. 3) Employ runtime protections such as limiting the maximum call stack size or using Node.js process monitoring to detect and mitigate abnormal resource consumption. 4) Monitor application logs and network traffic for unusual patterns indicative of recursive payload attempts. 5) Engage with the Express XSS Sanitizer maintainers or community to track patch releases and apply updates promptly once available. 6) Conduct security testing, including fuzzing and recursive input testing, to identify similar recursion vulnerabilities in custom sanitization code. These targeted measures go beyond generic advice by focusing on controlling recursion depth, input size, and alternative sanitization strategies.