Plattform
nodejs
Komponente
dompurify
Behoben in
2.5.1
3.1.4
2.5.0
DOMpurify, a popular JavaScript library for sanitizing HTML input, is vulnerable to a nesting-based multi-XSS (mXSS) attack. This vulnerability allows attackers to bypass DOMpurify's sanitization mechanisms and inject malicious JavaScript code into web pages. The issue affects versions prior to 2.5.0 and has been fixed in that release. A public proof-of-concept demonstrates the exploit.
The nesting-based mXSS vulnerability in DOMpurify allows attackers to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a wide range of malicious activities, including session hijacking, credential theft, defacement of web pages, and redirection to phishing sites. The impact is particularly severe because DOMpurify is often used to sanitize user-supplied content, making it a critical component in many web applications. Successful exploitation could compromise the integrity and confidentiality of sensitive data and user accounts. This vulnerability shares similarities with other XSS bypass techniques that exploit nuances in HTML parsing and sanitization logic.
This vulnerability was publicly disclosed on 2024-10-11. A public proof-of-concept is available on GitHub, demonstrating the exploit. The CVSS score is 10 (CRITICAL), indicating a high probability of exploitation. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns exploiting this vulnerability are not yet confirmed, but the availability of a PoC increases the risk of exploitation.
Applications and websites that rely on DOMpurify to sanitize user-supplied HTML input are at risk. This includes content management systems (CMS), forums, online editors, and any other web application that allows users to submit HTML content. Specifically, applications using older versions of DOMpurify or those that haven't implemented robust input validation practices are particularly vulnerable.
• nodejs / server:
npm list dompurifyCheck the installed version of DOMpurify. If it's less than 2.5.0, the system is vulnerable. • generic web: Inspect the DOMPurify JavaScript file for the fix (commit hash 0ef5e537). If the file doesn't contain this commit, the system is vulnerable. • generic web: Review application logs for any unusual JavaScript execution patterns or errors related to DOMPurify.
disclosure
poc
Exploit-Status
EPSS
0.70% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47875 is to upgrade to DOMpurify version 2.5.0 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as carefully reviewing and validating all user-supplied HTML input before passing it to DOMpurify. WAF rules can be configured to detect and block suspicious HTML patterns that might indicate an mXSS attempt. Thoroughly test any configuration changes or workarounds to ensure they do not introduce new vulnerabilities or break existing functionality. After upgrading, confirm the fix by attempting to inject a simple XSS payload through DOMpurify and verifying that it is properly sanitized.
Aktualisieren Sie die DOMPurify-Bibliothek auf Version 2.5.0 oder höher oder auf Version 3.1.3 oder höher. Dies behebt die Cross-Site Scripting (XSS)-Schwachstelle, die auf Verschachtelung basiert. Sie können die Bibliothek mit Ihrem bevorzugten Paketmanager aktualisieren, z. B. npm oder yarn.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47875 is a critical vulnerability in DOMpurify allowing attackers to bypass sanitization and execute malicious JavaScript through nesting exploits. It affects versions before 2.5.0.
You are affected if you are using DOMpurify version 2.4.0 or earlier. Check your installed version using npm list dompurify.
Upgrade to DOMpurify version 2.5.0 or later. If immediate upgrade isn't possible, implement temporary workarounds like careful input validation and WAF rules.
While active exploitation isn't confirmed, a public proof-of-concept exists, increasing the risk. Monitor your systems closely.
Refer to the DOMpurify GitHub repository for updates and information: https://github.com/cure53/DOMPurify
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.