HIGH 7.0

GHSA-mmhx-hmjr-r674

DOMPurify allows tampering by prototype pollution

상세

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / dompurify

최초 영향 버전: 0 수정 버전: 2.5.4

수정 npm install dompurify@2.5.4

npm / dompurify

최초 영향 버전: 3.0.0 수정 버전: 3.1.3

수정 npm install dompurify@3.1.3

참고

https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-45801 [ADVISORY]
https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 [WEB]
https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc [WEB]
https://github.com/cure53/DOMPurify [PACKAGE]