CVE-2024-45801: 
JavaScript vulnerability analysis and mitigation

DOMPurify, a DOM-only XSS sanitizer for HTML, MathML and SVG, was found to have a vulnerability (CVE-2024-45801) where malicious HTML using special nesting techniques could bypass the depth checking mechanism added in recent releases. Additionally, it was possible to use Prototype Pollution to weaken the depth check, rendering DOMPurify unable to prevent cross-site scripting (XSS) attacks. This vulnerability was discovered and disclosed on September 16, 2024, affecting versions prior to 2.5.4 and 3.1.3 (GitHub Advisory).

The vulnerability stems from a weakness in DOMPurify's depth checking mechanism that could be exploited through special HTML nesting techniques and prototype pollution. The issue has been assigned a CVSS v3.1 base score of 7.0 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L. The vulnerability is classified under CWE-1321 and allows attackers to bypass security controls meant to prevent XSS attacks (GitHub Advisory).

The vulnerability allows attackers to bypass DOMPurify's XSS protection mechanisms, potentially leading to successful cross-site scripting attacks. This could result in unauthorized data access (low impact on confidentiality), significant data modification (high impact on integrity), and minor service disruptions (low impact on availability) (GitHub Advisory).

The vulnerability has been fixed in DOMPurify versions 2.5.4 and 3.1.3. All users are advised to upgrade to these patched versions. The fixes were implemented through commits 1e52026 (3.x branch) and 26e1d69 (2.x branch), which hardened the depth tracking code against prototype pollution. There are no known workarounds for this vulnerability (NVD).

The vulnerability has been acknowledged and addressed by multiple organizations, including Red Hat, which has incorporated the fix into their products such as Red Hat OpenShift Dev Spaces 3.18.0 release (Red Hat Advisory).