CVE-2024-48910

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 2.4.2

Description The issue is related to an uncontrolled modification of object prototype attributes in the DOMPurify JavaScript library, which is used for secure cleaning and protection of HTML code. This can allow a remote attacker to impact the confidentiality and integrity of protected information. The library is vulnerable to prototype pollution, which can lead to improper object modification and potential remote code execution.

Recommendations For DOMPurify versions prior to 2.4.2, update to version 2.4.2 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of the proto property and the hasOwnField function to minimize the risk of exploitation. Avoid using the ALLOWED ATTR values in the affected HTML sanitization process until the issue is resolved.