Prototype Pollution Vulnerability in DOMPurify by Cure53
CVE-2024-48910

9.1CRITICAL

Key Information:

Vendor: Cure53
Status: Dompurify
Vendor: CVE Published:; 31 October 2024

What is CVE-2024-48910?

DOMPurify, a well-known XSS sanitizer designed for HTML, MathML, and SVG, was found to have a prototype pollution vulnerability that could potentially allow an attacker to modify object prototypes, leading to harmful behaviors in web applications. This issue has been resolved in version 2.4.2. Website operators and developers using DOMPurify are encouraged to update to the latest version to ensure their applications remain secure against this type of vulnerability.

Affected Version(s)

DOMPurify < 2.4.2

References

https://github.com/cure53/DOMPurify/security/advisories/G...

x_refsource_CONFIRM

https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2024

CVE-2024-48910 Data

JSON