CVE-2024-45801

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 2.5.4 DOMPurify versions prior to 3.1.3

Description The issue is related to the DOMPurify library, which is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. Additionally, it was possible to use Prototype Pollution to weaken the depth check, rendering DOMPurify unable to avoid cross-site scripting (XSS) attacks.

Recommendations For DOMPurify versions prior to 2.5.4, upgrade to version 2.5.4 or later. For DOMPurify versions prior to 3.1.3, upgrade to version 3.1.3 or later. As a temporary workaround, consider restricting the use of the DOMPurify library until a patch is available.