Fluid Attacks Database

Description

DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| =2.4.1+dfsg+~2.4.0-2 \|\| >=0 <2.4.1+dfsg+~2.4.0-2+deb12u1	2.4.1+dfsg+~2.4.0-2+deb12u1
npm	dompurify	>=0 <2.5.4 \|\| >=3.0.0 <3.1.3	2.5.4, 3.1.3
rpm rhel9	grafana	-	-
rpm rhel10	grafana	-	-

Aliases

1. CVE-2024-458012. NVD-2024-458013. OSV-DEBIAN-2024-458014. OSV-2024-458015. GHSA-mmhx-hmjr-r6746. GCVE-2024-458017. SECURITY-TRACKER-CVE-2024-45801

References

1. https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r6742. https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b213. https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.