CVE-2024-45801

NameCVE-2024-45801
DescriptionDOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-dompurify (PTS)bookworm2.4.1+dfsg+~2.4.0-1vulnerable
trixie3.0.9+dfsg+~3.0.5-1vulnerable
sid3.1.6+dfsg+~3.0.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-dompurifysource(unstable)3.1.6+dfsg+~3.0.5-1

Notes

https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
Fixed by: https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.1.3)
Fixed by: https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.5.3)
Search for package or bug name: Reporting problems