Fluid Attacks Database

Description

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	node-dompurify	>=0 <3.0.9+dfsg+~3.0.5-1	3.0.9+dfsg+~3.0.5-1
npm	dompurify	>=0 <2.4.2	2.4.2
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| =1.2.16+ds1-2+deb11u4 \|\| >=0 <1.2.16+ds1-2+deb11u5	1.2.16+ds1-2+deb11u5
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| >=0 <1.2.24+ds1-1+deb12u2	1.2.24+ds1-1+deb12u2
debian 13	cacti	>=0 <1.2.26+ds1-1	1.2.26+ds1-1
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| =2.4.1+dfsg+~2.4.0-2 \|\| >=0 <2.4.1+dfsg+~2.4.0-2+deb12u1	2.4.1+dfsg+~2.4.0-2+deb12u1
debian 14	node-dompurify	>=0 <3.0.9+dfsg+~3.0.5-1	3.0.9+dfsg+~3.0.5-1
debian 14	cacti	>=0 <1.2.26+ds1-1	1.2.26+ds1-1

Aliases

1. CVE-2024-489102. NVD-2024-489103. OSV-DEBIAN-2024-489104. OSV-2024-489105. GHSA-p3vf-v8qc-cwcr6. GCVE-2024-489107. SECURITY-TRACKER-CVE-2024-489108. lists.debian.org

References

1. https://github.com/Mitchellzhou1/CVE-2024-48910-PoC2. https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr3. https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.