CVE-2024-47875
📋 TL;DR
DOMPurify versions before 2.5.0 and 3.1.3 contain a nesting-based mutation XSS (mXSS) vulnerability that allows attackers to bypass HTML sanitization and execute arbitrary JavaScript in victim browsers. This affects any web application using vulnerable DOMPurify versions to sanitize user-controlled HTML input. The vulnerability is particularly dangerous because it bypasses a security library specifically designed to prevent XSS attacks.
💻 Affected Systems
- DOMPurify
📦 What is this software?
Dompurify by Cure53
Dompurify by Cure53
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user sessions, account takeover, data theft, and full control over victim browser sessions through persistent XSS payloads.
Likely Case
Attackers inject malicious scripts that steal session cookies, credentials, or perform actions on behalf of authenticated users.
If Mitigated
Limited impact if input validation and output encoding are also implemented, but still represents a significant security bypass.
🎯 Exploit Status
Proof of concept exists in the test suite and security advisory. The vulnerability bypasses DOMPurify's primary security function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.0 or 3.1.3
Vendor Advisory: https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
Restart Required: No
Instructions:
1. Update DOMPurify dependency to version 2.5.0 or higher (for v2) or 3.1.3 or higher (for v3). 2. For npm: 'npm update dompurify'. 3. For yarn: 'yarn upgrade dompurify'. 4. Verify the updated version is being used.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding layers alongside DOMPurify
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact
🧯 If You Can't Patch
- Implement additional HTML sanitization using alternative libraries or custom validation
- Disable features that accept HTML input from untrusted sources until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check package.json or lock files for DOMPurify version below 2.5.0 (for v2) or below 3.1.3 (for v3)Check Version:
npm list dompurify | grep dompurify (for npm) or check package.json directlyVerify Fix Applied:
Verify DOMPurify version is 2.5.0+ or 3.1.3+ in package.json and that the application loads the updated version📡 Detection & Monitoring
Log Indicators:
- Unusual HTML patterns with nested elements in user input
- JavaScript execution from sanitized content
Network Indicators:
- Suspicious script tags in POST/PUT requests to endpoints that process HTML
SIEM Query:
source=web_logs AND (http_method=POST OR http_method=PUT) AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")🔗 References
- https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
- https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
- https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
- http://seclists.org/fulldisclosure/2025/Apr/14
- https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
