Description
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.4** Patched version(s): **3.1.3 2.5.4**
References
Related Issues
- appium-chromedriver downloads Resources over HTTP - CVE-2016-10557
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Angular (deprecated package) Cross-site Scripting - CVE-2022-25869
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 16, 2024