CVE-2024-47875
Cross-Site Scripting (XSS) vulnerability in dompurify (npm)
What is CVE-2024-47875 About?
DOMpurify was vulnerable to a nesting-based mXSS (mutation Cross-Site Scripting) attack. This flaw allowed specially crafted HTML to bypass sanitization, leading to arbitrary JavaScript execution in the user's browser. Exploitation required injecting malicious HTML, making it moderately easy to leverage.
Affected Software
- dompurify
- >3.0.0, <3.1.3
- <2.5.0
Technical Details
The vulnerability in DOMPurify, prior to patches, was a nesting-based mXSS (mutation Cross-Site Scripting) flaw. This means that when an attacker injected specially crafted HTML content into a page that was then sanitized by DOMPurify and subsequently parsed by the browser, the browser's DOM parser would interpret the seemingly benign, sanitized HTML differently than DOMPurify's parser. This discrepancy allowed the inclusion of executable JavaScript that DOMPurify failed to detect and strip due to its complex nesting, ultimately leading to arbitrary client-side code execution within the user's browser in a reflective or persistent manner. The fix addressed this parsing inconsistency.
What is the Impact of CVE-2024-47875?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, hijack user sessions, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2024-47875?
Exploitation of this Cross-Site Scripting (XSS) vulnerability is of moderate complexity. The primary prerequisite is the ability for an attacker to inject untrusted HTML content into a web page that subsequently renders content sanitized by a vulnerable version of DOMPurify. No specific authentication or privilege is typically required for the initial injection, as XSS vulnerabilities often target public input fields or user-generated content. This is a remote attack, as the attacker delivers the malicious payload via a web application. The likelihood of successful exploitation increases if the application accepts and displays rich user content without sufficient or correctly configured sanitization mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| daikinitanda | Link | PoC for CVE-2024-47875 |
| roj1py | Link | This is a PoC/Exploit for the CVE-2024-47875 PhpSpreadsheet XSS Vuln |
What are the Available Fixes for CVE-2024-47875?
About the Fix from Resolved Security
This patch introduces a maximum element nesting depth (MAX_NESTING_DEPTH) check during DOM sanitization, removing elements that exceed the allowed depth to prevent mutation XSS (mXSS) attacks. By tracking and limiting the depth of nested elements, the patch fixes CVE-2024-47875 by closing a vector where excessive nesting could trigger mXSS and bypass sanitization, thus maintaining DOM integrity and security.
Available Upgrade Options
- dompurify
- <2.5.0 → Upgrade to 2.5.0
- dompurify
- >3.0.0, <3.1.3 → Upgrade to 3.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
- https://nvd.nist.gov/vuln/detail/CVE-2024-47875
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
- https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
- https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
- https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
- https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
- https://osv.dev/vulnerability/GHSA-gx9m-whjm-85jf
- https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
- https://github.com/cure53/DOMPurify
What are Similar Vulnerabilities to CVE-2024-47875?
Similar Vulnerabilities: CVE-2023-44825 , CVE-2023-34199 , CVE-2022-46633 , CVE-2022-45145 , CVE-2021-4196
