Description
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.4** Patched version(s): **3.1.3 2.5.4**
References
Related Issues
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- vue-i18n has cross-site scripting vulnerability with prototype pollution - CVE-2024-52809
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 16, 2024