CVE-2024-47875 – dompurify

Package

Manager: npm
Name: dompurify
Vulnerable Version: >=0 <2.5.0 || >=3.0.0 <3.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H

EPSS: 0.00693 pctl0.70973

Details

DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

Metadata

Created: 2024-10-11T17:27:29Z
Modified: 2024-10-11T17:27:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-gx9m-whjm-85jf/GHSA-gx9m-whjm-85jf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-gx9m-whjm-85jf
Finding: F008
Auto approve: 1