Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tbWh4LWhtanItcjY3NM4AA_kd
DOMPurify allows tampering by prototype pollution
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).
Permalink: https://github.com/advisories/GHSA-mmhx-hmjr-r674JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tbWh4LWhtanItcjY3NM4AA_kd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-mmhx-hmjr-r674, CVE-2024-45801
References:
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
- https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
- https://nvd.nist.gov/vuln/detail/CVE-2024-45801
- https://github.com/advisories/GHSA-mmhx-hmjr-r674
Blast Radius: 33.3
Affected Packages
npm:dompurify
Dependent packages: 1,705Dependent repositories: 56,633
Downloads: 23,841,503 last month
Affected Version Ranges: >= 3.0.0, < 3.1.3, < 2.5.4
Fixed in: 3.1.3, 2.5.4
All affected versions: 0.4.0, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.1.0, 3.1.1, 3.1.2
All unaffected versions: 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3