Plateforme
nodejs
Composant
dompurify
Corrigé dans
2.5.1
3.1.4
2.5.0
DOMpurify, a popular JavaScript library for sanitizing HTML input, is vulnerable to a nesting-based multi-XSS (mXSS) attack. This vulnerability allows attackers to bypass DOMpurify's sanitization mechanisms and inject malicious JavaScript code into web pages. The issue affects versions prior to 2.5.0 and has been fixed in that release. A public proof-of-concept demonstrates the exploit.
The nesting-based mXSS vulnerability in DOMpurify allows attackers to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a wide range of malicious activities, including session hijacking, credential theft, defacement of web pages, and redirection to phishing sites. The impact is particularly severe because DOMpurify is often used to sanitize user-supplied content, making it a critical component in many web applications. Successful exploitation could compromise the integrity and confidentiality of sensitive data and user accounts. This vulnerability shares similarities with other XSS bypass techniques that exploit nuances in HTML parsing and sanitization logic.
This vulnerability was publicly disclosed on 2024-10-11. A public proof-of-concept is available on GitHub, demonstrating the exploit. The CVSS score is 10 (CRITICAL), indicating a high probability of exploitation. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns exploiting this vulnerability are not yet confirmed, but the availability of a PoC increases the risk of exploitation.
Applications and websites that rely on DOMpurify to sanitize user-supplied HTML input are at risk. This includes content management systems (CMS), forums, online editors, and any other web application that allows users to submit HTML content. Specifically, applications using older versions of DOMpurify or those that haven't implemented robust input validation practices are particularly vulnerable.
• nodejs / server:
npm list dompurifyCheck the installed version of DOMpurify. If it's less than 2.5.0, the system is vulnerable. • generic web: Inspect the DOMPurify JavaScript file for the fix (commit hash 0ef5e537). If the file doesn't contain this commit, the system is vulnerable. • generic web: Review application logs for any unusual JavaScript execution patterns or errors related to DOMPurify.
disclosure
poc
Statut de l'Exploit
EPSS
0.70% (percentile 72%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-47875 is to upgrade to DOMpurify version 2.5.0 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as carefully reviewing and validating all user-supplied HTML input before passing it to DOMpurify. WAF rules can be configured to detect and block suspicious HTML patterns that might indicate an mXSS attempt. Thoroughly test any configuration changes or workarounds to ensure they do not introduce new vulnerabilities or break existing functionality. After upgrading, confirm the fix by attempting to inject a simple XSS payload through DOMpurify and verifying that it is properly sanitized.
Mettez à jour la bibliothèque DOMPurify à la version 2.5.0 ou supérieure, ou à la version 3.1.3 ou supérieure. Cela corrigera la vulnérabilité de Cross-Site Scripting (XSS) basée sur l'imbrication. Vous pouvez mettre à jour la bibliothèque en utilisant votre gestionnaire de paquets préféré, comme npm ou yarn.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-47875 is a critical vulnerability in DOMpurify allowing attackers to bypass sanitization and execute malicious JavaScript through nesting exploits. It affects versions before 2.5.0.
You are affected if you are using DOMpurify version 2.4.0 or earlier. Check your installed version using npm list dompurify.
Upgrade to DOMpurify version 2.5.0 or later. If immediate upgrade isn't possible, implement temporary workarounds like careful input validation and WAF rules.
While active exploitation isn't confirmed, a public proof-of-concept exists, increasing the risk. Monitor your systems closely.
Refer to the DOMpurify GitHub repository for updates and information: https://github.com/cure53/DOMPurify
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.