CRITICAL🇵🇱 Wersja polska

CVE-2024-47875

CVSS 10.0v3.1pub. 2024-10-11upd. 2025-11-03

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of nested HTML/MathML/SVG tag structures during the sanitization process. An attacker can provide a specially crafted HTML string that, after processing by the browser's parser (DOM mutation), changes its structure in such a way that malicious XSS code — initially considered safe by DOMPurify — is ultimately rendered in the document. The mXSS mechanism works by serialization and deserialization of the DOM tree causing reproduction of deleted or modified payload.

Impact

A successful attack allows the attacker to execute arbitrary JavaScript code in the context of the victim's page (XSS), which can lead to session theft, modification of page content, and serious violations of application integrity and availability.

Mitigation & patch

DOMPurify should be updated to version 2.5.0 or newer (for the 2.x branch) or to version 3.1.3 or newer (for the 3.x branch). Patches are available in the project repository on GitHub.

Who is affected

DOMPurify (Cure53) in versions earlier than 2.5.0 and earlier than 3.1.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
  • Cure53 Dompurify

    APP
    Cure53
    < 2.5.03.0.0 – 3.1.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-48910CRITICAL9.1PL ✓ten sam produkt

Prototype pollution w bibliotece DOMPurify umożliwiający XSS

CVE-2024-45801HIGH7.3ten sam produkt

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discove...

CVE-2026-41240MEDIUM6.0ten sam produkt

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have...

CVE-2025-15599MEDIUM5.1ten sam produkt

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows...

CVE-2026-0540MEDIUM5.3ten sam produkt

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting...