Platform
nodejs
Component
dompurify
Fixed in
2.5.1
3.1.4
2.5.0
DOMpurify, a popular JavaScript library for sanitizing HTML input, is vulnerable to a nesting-based multi-XSS (mXSS) attack. This vulnerability allows attackers to bypass DOMpurify's sanitization mechanisms and inject malicious JavaScript code into web pages. The issue affects versions prior to 2.5.0 and has been fixed in that release. A public proof-of-concept demonstrates the exploit.
The nesting-based mXSS vulnerability in DOMpurify allows attackers to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a wide range of malicious activities, including session hijacking, credential theft, defacement of web pages, and redirection to phishing sites. The impact is particularly severe because DOMpurify is often used to sanitize user-supplied content, making it a critical component in many web applications. Successful exploitation could compromise the integrity and confidentiality of sensitive data and user accounts. This vulnerability shares similarities with other XSS bypass techniques that exploit nuances in HTML parsing and sanitization logic.
This vulnerability was publicly disclosed on 2024-10-11. A public proof-of-concept is available on GitHub, demonstrating the exploit. The CVSS score is 10 (CRITICAL), indicating a high probability of exploitation. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns exploiting this vulnerability are not yet confirmed, but the availability of a PoC increases the risk of exploitation.
Exploit Status
EPSS
0.70% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47875 is to upgrade to DOMpurify version 2.5.0 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as carefully reviewing and validating all user-supplied HTML input before passing it to DOMpurify. WAF rules can be configured to detect and block suspicious HTML patterns that might indicate an mXSS attempt. Thoroughly test any configuration changes or workarounds to ensure they do not introduce new vulnerabilities or break existing functionality. After upgrading, confirm the fix by attempting to inject a simple XSS payload through DOMpurify and verifying that it is properly sanitized.
Update the DOMPurify library to version 2.5.0 or higher, or to version 3.1.3 or higher. This will resolve the nesting-based Cross-Site Scripting (XSS) vulnerability. You can update the library using your preferred package manager, such as npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47875 is a critical vulnerability in DOMpurify allowing attackers to bypass sanitization and execute malicious JavaScript through nesting exploits. It affects versions before 2.5.0.
You are affected if you are using DOMpurify version 2.4.0 or earlier. Check your installed version using npm list dompurify.
Upgrade to DOMpurify version 2.5.0 or later. If immediate upgrade isn't possible, implement temporary workarounds like careful input validation and WAF rules.
While active exploitation isn't confirmed, a public proof-of-concept exists, increasing the risk. Monitor your systems closely.
Refer to the DOMpurify GitHub repository for updates and information: https://github.com/cure53/DOMPurify
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.