CVE-2024-45801 — Regex Denial of Service in Dompurify

CWE-1333 — Regex Denial of Service CWE-1321 — Prototype Pollution CWE-79 — Cross-site Scripting11 documents8 sources

Severity

6.1MEDIUMNVD

CNA7.3GHSA7.3

EPSS

0.1%

top 78.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cure53 Dompurify

Timeline

PublishedSep 16

Latest updateJan 15

Description

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There ar…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5cure53/dompurify< 2.5.4+1

▶NVDcure53/dompurify3.0.0 — 3.1.3+1

▶npmcure53/dompurify3.0.0 — 3.1.3+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

DOMpurify has a nesting-based mXSS↗2024-10-11

▶

CVEList

Tampering by prototype polution in DOMPurify↗2024-09-16

▶

GHSA

DOMPurify allows tampering by prototype pollution↗2024-09-16

▶

OSV

DOMPurify allows tampering by prototype pollution↗2024-09-16

▶

OSV

CVE-2024-45801: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG↗2024-09-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Utilities Applications Risk Matrix: General (DOMPurify) — CVE-2024-45801↗2025-01-15

▶

Atlassian

CVE-2024-45801: 10.0.0 to 10.0.1 5.17.0 to 5.17.3 5.16.0 to 5.16.1 5.15.2 5.14.0 to 5.14.1 5.13.0 to 5.13.1 5.12.0 to 5.12.14 (LTS) 5.11↗2024-11-19

▶

Oracle

Oracle Oracle Application Express Risk Matrix: General (DOMPurify) — CVE-2024-45801↗2024-10-15

▶

Red Hat

dompurify: XSS vulnerability via prototype pollution↗2024-09-16

▶

Debian

CVE-2024-45801: node-dompurify - DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathM...↗2024

▶