DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
The vulnerability results from improper handling of nested HTML/MathML/SVG tag structures during the sanitization process. An attacker can provide a specially crafted HTML string that, after processing by the browser's parser (DOM mutation), changes its structure in such a way that malicious XSS code — initially considered safe by DOMPurify — is ultimately rendered in the document. The mXSS mechanism works by serialization and deserialization of the DOM tree causing reproduction of deleted or modified payload.
A successful attack allows the attacker to execute arbitrary JavaScript code in the context of the victim's page (XSS), which can lead to session theft, modification of page content, and serious violations of application integrity and availability.
DOMPurify should be updated to version 2.5.0 or newer (for the 2.x branch) or to version 3.1.3 or newer (for the 3.x branch). Patches are available in the project repository on GitHub.
DOMPurify (Cure53) in versions earlier than 2.5.0 and earlier than 3.1.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HCure53 Dompurify
APPCure53< 2.5.03.0.0 – 3.1.3 (bez)
Related vulnerabilities
Prototype pollution w bibliotece DOMPurify umożliwiający XSS
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discove...
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have...
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows...
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting...