CVE-2024-48910: 
JavaScript vulnerability analysis and mitigation

DOMPurify, a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG, was found to be vulnerable to prototype pollution (CVE-2024-48910). The vulnerability was discovered and fixed in version 2.4.2, with the initial disclosure made on October 31, 2024 (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact to both confidentiality and integrity, though without affecting availability (GitHub Advisory).

The prototype pollution vulnerability in DOMPurify could allow attackers to tamper with object prototype attributes, potentially leading to security bypasses and unauthorized modifications of application behavior. The high CVSS score indicates significant potential impact on system security, particularly affecting data confidentiality and integrity (GitHub Advisory).

The vulnerability has been fixed in DOMPurify version 2.4.2. Users are strongly advised to upgrade to this version or later to protect against prototype pollution attacks. The fix was implemented through a commit that addresses the prototype pollution issue (GitHub Commit).