CVE-2024-45801 in DOMPurify
Summary
by MITRE • 09/16/2024
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2024-45801 affects DOMPurify, a widely-used JavaScript library designed to sanitize HTML content and prevent cross-site scripting attacks by removing potentially dangerous elements from user input. This security flaw represents a significant regression in the library's ability to protect web applications from malicious code injection, as it undermines fundamental security mechanisms that were specifically implemented to address such threats. The vulnerability specifically targets the depth checking mechanisms that DOMPurify employs to prevent deeply nested HTML structures from causing performance issues or exploitation vectors, creating a critical weakness in the library's defensive capabilities.
The technical implementation of this vulnerability exploits sophisticated nesting techniques that manipulate the DOM structure in ways that circumvent the depth checking algorithms introduced in previous versions of the library. Attackers can craft malicious HTML payloads that appear to comply with the depth limits while actually traversing the DOM in unexpected patterns that bypass validation. Additionally, the vulnerability leverages prototype pollution techniques to weaken the depth checking mechanisms, allowing attackers to modify the prototype chain of objects used for validation, thereby undermining the integrity of the sanitization process. This dual approach of nesting manipulation and prototype pollution creates a particularly insidious attack vector that can bypass multiple layers of security controls.
The operational impact of this vulnerability is severe for any web application that relies on DOMPurify for HTML sanitization, as it completely defeats the library's primary purpose of preventing XSS attacks. Applications using affected versions of DOMPurify become vulnerable to malicious HTML injection that could execute arbitrary JavaScript code in users' browsers, potentially leading to session hijacking, data theft, or full compromise of user accounts. The vulnerability affects both version 2.x and 3.x branches of DOMPurify, meaning that a substantial portion of web applications using this library could be at risk, particularly those that have not yet upgraded to the patched versions. The lack of known workarounds forces organizations to immediately implement the recommended upgrades without alternative mitigation strategies.
Security practitioners should note that this vulnerability aligns with CWE-20: Improper Input Validation, as it represents a failure in properly validating HTML structure and depth during sanitization. The attack pattern also corresponds to ATT&CK technique T1203: Exploitation for Client Execution, as the vulnerability enables attackers to execute malicious code through browser-based vectors. Organizations using DOMPurify must prioritize immediate upgrade to versions 2.5.4 or 3.1.3, as these releases contain the necessary patches to address both the nesting bypass techniques and the prototype pollution weaknesses that were exploited. The vulnerability demonstrates the importance of comprehensive testing for edge cases in security libraries and highlights the need for continuous security validation of defensive mechanisms against evolving attack techniques that exploit implementation details rather than high-level vulnerabilities.