CVE-2024-45801
Description
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2024-45801 NameCVE-2024-45801 DescriptionDOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid…
CVE-2024-45801
| Name | CVE-2024-45801 |
| Description | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-dompurify (PTS) | bookworm | 2.4.1+dfsg+~2.4.0-2+deb12u1 | fixed |
| bookworm (security) | 2.4.1+dfsg+~2.4.0-2 | vulnerable | |
| trixie | 3.1.7+dfsg+~3.0.5-2 | fixed | |
| forky | 3.4.2+dfsg-1 | fixed | |
| sid | 3.4.5+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-dompurify | source | bookworm | 2.4.1+dfsg+~2.4.0-2+deb12u1 | |||
| node-dompurify | source | (unstable) | (not affected) |
Notes
- node-dompurify <not-affected> (Vulnerable code not present in a Debian released version)
https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
Depth checking added in (with followups): https://github.com/cure53/DOMPurify/commit/c5369f2995819e1c338d9ffe136f2da25f12a81e (3.1.1)
Fixed by: https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.1.3)
Depth checking added in: https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)
Fixed by: https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.5.3)
CVE assigned for the bypass of the depth checking added to DOMPurify.
Apply commands
- node-dompurify <not-affected> (Vulnerable code not present in a Debian released version)https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674Depth checking added in (with followups): https://github.com/cure53/DOMPurify/commit/c5369f2995819e1c338d9ffe136f2da25f12a81e (3.1.1)Fixed by: https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.1.3)Depth checking added in: https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)Fixed by: https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.5.3)CVE assigned for the bypass of the depth checking added to DOMPurify.OS impact
Debian Fixed 4 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bookworm | Fixed | 2.4.1+dfsg+~2.4.0-2+deb12u1 |
References
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://nvd.nist.gov/vuln/detail/CVE-2024-45801
- https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
- https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
- https://github.com/cure53/DOMPurify
- https://security-tracker.debian.org/tracker/CVE-2024-45801
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.