CRITICAL 10.0

GHSA-gx9m-whjm-85jf

DOMpurify has a nesting-based mXSS

상세

DOMpurify was vulnerable to nesting-based mXSS

fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943)

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / dompurify

최초 영향 버전: 0 수정 버전: 2.5.0

수정 npm install dompurify@2.5.0

npm / dompurify

최초 영향 버전: 3.0.0 수정 버전: 3.1.3

수정 npm install dompurify@3.1.3

참고

https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-47875 [ADVISORY]
https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f [WEB]
https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a [WEB]
https://github.com/cure53/DOMPurify [PACKAGE]
https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098 [WEB]
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html [WEB]
http://seclists.org/fulldisclosure/2025/Apr/14 [WEB]