CRITICAL 10.0

GHSA-gx9m-whjm-85jf

DOMpurify has a nesting-based mXSS

Details

DOMpurify was vulnerable to nesting-based mXSS

fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943)

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dompurify

Introduced in: 0 Fixed in: 2.5.0

Fix npm install dompurify@2.5.0

npm / dompurify

Introduced in: 3.0.0 Fixed in: 3.1.3

Fix npm install dompurify@3.1.3

References

https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-47875 [ADVISORY]
https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f [WEB]
https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a [WEB]
https://github.com/cure53/DOMPurify [PACKAGE]
https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098 [WEB]
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html [WEB]
http://seclists.org/fulldisclosure/2025/Apr/14 [WEB]