Description
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.4** Patched version(s): **3.1.3 2.5.4**
References
Related Issues
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- jsonic was discovered to contain a prototype pollution via the function empty. - CVE-2024-38993
- Blackprint @blackprint/engine Prototype Pollution issue - CVE-2024-24294
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 16, 2024