Description
DOMpurify was vulnerable to nesting-based mXSS
fixed by 0ef5e537 (2.x) and merge 943
Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking
POC is avaible under test
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.0** Patched version(s): **3.1.3 2.5.0**
References
- GHSA-gx9m-whjm-85jf
- lists.debian.org
- seclists.org
- CVE-2024-47875
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- DOMPurify allows tampering by prototype pollution - CVE-2024-45801
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- DOMPurify Open Redirect vulnerability - CVE-2019-25155
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on November 03, 2025