CVE-2024-47875: 
JavaScript vulnerability analysis and mitigation

DOMPurify, a DOM-only XSS sanitizer for HTML, MathML and SVG, was found to be vulnerable to nesting-based mutation XSS (mXSS). The vulnerability was identified and tracked as CVE-2024-47875, with a CVSS v3.1 base score of 10.0 (Critical). The issue was fixed in versions 2.5.0 and 3.1.3 (GitHub Advisory).

The vulnerability was related to nesting-based mutation XSS attacks, which could occur when elements were nested too deeply. The fix implemented a maximum element nesting depth of 500 to prevent mXSS attacks. The patch tracks the nesting depth of elements and removes them if they exceed the maximum depth limit (DOMPurify Commit).

The vulnerability received a Critical severity rating with a CVSS score of 10.0, indicating the highest level of severity. The attack vector is Network-based, requires low complexity, needs no privileges, and no user interaction. The scope is changed, with low impact on confidentiality but high impact on both integrity and availability (GitHub Advisory).

Users should upgrade to DOMPurify version 2.5.0 or 3.1.3 or later, depending on their major version track. The fix has been implemented in both the 2.x and 3.x branches of the project (GitHub Advisory).