Description
DOMpurify was vulnerable to nesting-based mXSS
fixed by 0ef5e537 (2.x) and merge 943
Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking
POC is avaible under test
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.0** Patched version(s): **3.1.3 2.5.0**
References
- GHSA-gx9m-whjm-85jf
- lists.debian.org
- seclists.org
- CVE-2024-47875
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Svelte has a potential mXSS vulnerability due to improper HTML escaping - CVE-2024-45047
- Nuxt Devtools has a Path Traversal: '../filedir - CVE-2024-23657
- Trix has a cross-site Scripting vulnerability on copy & paste - CVE-2024-43368
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on November 03, 2025