HIGH🇵🇱 Wersja polska

CVE-2024-45801

CVSS 7.3v3.1pub. 2024-09-16upd. 2025-09-22

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Cure53 Dompurify

    APP
    Cure53
    < 2.5.43.0.0 – 3.1.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-48910CRITICAL9.1PL ✓ten sam produkt

Prototype pollution w bibliotece DOMPurify umożliwiający XSS

CVE-2024-47875CRITICAL10.0PL ✓ten sam produkt

DOMPurify — podatność mXSS oparta na zagnieżdżaniu znaczników

CVE-2026-41240MEDIUM6.0ten sam produkt

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have...

CVE-2025-15599MEDIUM5.1ten sam produkt

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows...

CVE-2026-0540MEDIUM5.3ten sam produkt

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting...