| Name | CVE-2024-45801 |
| Description | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-dompurify (PTS) | bookworm | 2.4.1+dfsg+~2.4.0-2+deb12u1 | fixed |
| bookworm (security) | 2.4.1+dfsg+~2.4.0-2 | vulnerable | |
| sid, trixie | 3.1.7+dfsg+~3.0.5-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-dompurify | source | bookworm | 2.4.1+dfsg+~2.4.0-2+deb12u1 | |||
| node-dompurify | source | (unstable) | (not affected) |
- node-dompurify <not-affected> (Vulnerable code not present in a Debian released version)
https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
Depth checking added in (with followups): https://github.com/cure53/DOMPurify/commit/c5369f2995819e1c338d9ffe136f2da25f12a81e (3.1.1)
Fixed by: https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.1.3)
Depth checking added in: https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)
Fixed by: https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.5.3)
CVE assigned for the bypass of the depth checking added to DOMPurify.