CVE-2024-47875

Name	CVE-2024-47875
Description	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5790-1
Debian Bugs	1084983

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cacti (PTS)	bullseye	1.2.16+ds1-2+deb11u3	vulnerable
	bullseye (security)	1.2.16+ds1-2+deb11u4	vulnerable
	bookworm	1.2.24+ds1-1+deb12u4	fixed
	bookworm (security)	1.2.24+ds1-1+deb12u2	fixed
	sid, trixie	1.2.28+ds1-3	fixed
node-dompurify (PTS)	bookworm	2.4.1+dfsg+~2.4.0-2+deb12u1	fixed
	bookworm (security)	2.4.1+dfsg+~2.4.0-2	fixed
	sid, trixie	3.1.7+dfsg+~3.0.5-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
cacti	source	bookworm	1.2.24+ds1-1+deb12u2
cacti	source	(unstable)	1.2.26+ds1-1
node-dompurify	source	bookworm	2.4.1+dfsg+~2.4.0-2	DSA-5790-1
node-dompurify	source	(unstable)	3.1.6+dfsg+~3.0.5-1		1084983

Notes

https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)
https://github.com/cure53/DOMPurify/pull/943
https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a (3.1.1)
When fixing the issue be aware that the fixing commit would introduce CVE-2024-45801
when only cherry-picking commits.
Mark cacti/1.2.26+ds1-1 which is the version starting to depend on node-dompurify
and link purify.js instead of using the upstream version.