CVE-2024-48910

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc	Patch
https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*

History

03 Nov 2025, 21:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html -

23 Sep 2025, 02:01

Type	Values Removed	Values Added
References	~~() https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc -~~	() https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc - Patch
References	~~() https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr -~~	() https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr - Vendor Advisory
Summary		(es) DOMPurify es un desinfectante XSS ultrarrápido, ultratolerante y exclusivo de DOM para HTML, MathML y SVG. DOMPurify era vulnerable a la contaminación de prototipos. Esta vulnerabilidad se solucionó en la versión 2.4.2.
First Time		Cure53 Cure53 dompurify
CPE		cpe:2.3:a:cure53:dompurify::::::::

31 Oct 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-31 15:15

Updated : 2025-11-03 21:16

NVD link : CVE-2024-48910

Mitre link : CVE-2024-48910

CVE.ORG link : CVE-2024-48910

JSON object : View

Products Affected

cure53

dompurify

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.1 /10