Outdated HTML Sanitizer Allows Malicious Scripts to Bypass Protection
Your website uses a library called DOMPurify to clean up untrusted content before displaying it to users — think of it like a filter that strips out dangerous code. A flaw in the version you're running means that filter can be tricked into letting harmful scripts through. An attacker who can submit content to your site (e.g. via a form, comment box, or rich-text editor) could exploit this to run malicious code in your visitors' browsers.
Business Impact And Actions
high urgencyBusiness Impact
If exploited, this could allow an attacker to steal session cookies, hijack user accounts, redirect visitors to phishing pages, or deface your site. If your product handles user-generated content — comments, messages, document editors — the risk is directly relevant to your users' safety and your reputation. A breach of this kind can also trigger compliance obligations if personal data is exposed.
What To Do
- Ask your developer to upgrade the DOMPurify library to version 2.5.4 or higher (or 3.1.3+ if on the 3.x series). This is a straightforward dependency update.
- If your site uses a third-party plugin or component that bundles DOMPurify (e.g. a PDF generator or rich-text editor), ask your developer to check whether that component also needs updating.
- After the update is deployed, ask your developer to confirm the new version is live using the verification steps in the technical guide.
- Consider subscribing to the DOMPurify security mailing list so you're notified of future security releases automatically.
DOMPurify < 2.5.4 / < 3.1.3 — Prototype Pollution Bypasses XSS Sanitization (CVE-2024-45801)
high severity CVSS 7.0Vulnerability Explanation
DOMPurify introduced depth-checking logic in recent releases to guard against deeply nested HTML structures used in mutation XSS (mXSS) attacks. CVE-2024-45801 reveals two related weaknesses: (1) specially crafted nested HTML can bypass the depth check entirely, and (2) an attacker can use JavaScript Prototype Pollution — injecting properties onto Object.prototype via malicious HTML attributes — to corrupt the depth-tracking state, causing DOMPurify to undercount nesting depth and allow dangerous payloads through. Because Object.prototype properties are inherited by all JavaScript objects, polluting it can silently alter the behavior of the depth check without any visible error. The net result is that DOMPurify's sanitize() call returns HTML that still contains executable XSS payloads.
Root Cause
The depth-checking mechanism used plain object property lookups that were susceptible to prototype chain inheritance. An attacker-controlled HTML input could set __proto__ or constructor properties in a way that pre-populated the depth counter with attacker-chosen values, weakening or nullifying the nesting guard. The fix hardened the depth tracking code to be immune to prototype pollution (e.g. using Object.create(null) or explicit hasOwnProperty checks).
Technical Impact
An attacker who can supply HTML input to any DOMPurify.sanitize() call can bypass sanitization and inject arbitrary JavaScript into the page. This enables stored or reflected XSS: session hijacking, credential theft, account takeover, malicious redirects, or full page defacement — all executing in the victim's browser with the privileges of the vulnerable origin.
Severity Justification
Network-exploitable, no authentication required, no user interaction needed beyond visiting a page with attacker-controlled content. Impact is significant integrity compromise (XSS). CVSS 7.0 per official advisory.
Affected Components
dompurify < 2.5.4dompurify >= 3.0.0 < 3.1.3
Remediation Steps
- Identify which version of DOMPurify is in use: run `npm list dompurify` or check your package-lock.json / yarn.lock.
- Upgrade to the patched version. For the 2.x branch: `npm install dompurify@^2.5.4`. For the 3.x branch: `npm install dompurify@^3.1.3`. Prefer the latest stable release (3.x) for new projects.
- Check for transitive dependencies: other packages (e.g. jsPDF, Redoc, rich-text editors) may bundle their own copy of DOMPurify. Run `npm list dompurify` to find all instances and use `overrides` (npm) or `resolutions` (yarn) to force the patched version if a direct upgrade isn't possible.
- Rebuild and redeploy your application. If DOMPurify is loaded from a CDN, update the CDN URL to reference version 2.5.4+ or 3.1.3+.
- Verify the fix using the steps below.
Verification Steps
- Run `npm list dompurify` and confirm no version below 2.5.4 (2.x) or 3.1.3 (3.x) appears in the output tree.
- In the browser console on your deployed app, run `DOMPurify.version` — it should return 2.5.4 or higher.
- If DOMPurify is bundled, search the compiled output for the version string: `grep -r 'DOMPurify' dist/ | grep 'version'`.
- Run your existing test suite to confirm sanitization behavior is unchanged after the upgrade.
Code Examples (json)
// package.json — vulnerable
{
"dependencies": {
"dompurify": "^2.4.5"
}
}// package.json — fixed (2.x branch)
{
"dependencies": {
"dompurify": "^2.5.4"
}
}
// Or upgrade to the 3.x branch (recommended for new projects)
{
"dependencies": {
"dompurify": "^3.1.3"
}
}
// Force patched version for transitive dependencies (npm overrides)
{
"overrides": {
"dompurify": "^2.5.4"
}
}Best Practices
- Pin or range-lock security-critical dependencies and review them in every dependency audit (`npm audit`).
- Use `npm list <package>` regularly to detect multiple versions of the same library installed by transitive dependencies.
- Subscribe to the DOMPurify security mailing list (https://lists.ruhr-uni-bochum.de/mailman/listinfo/dompurify-security) to receive immediate notification of future security releases.
- Never rely solely on client-side sanitization — validate and sanitize user-generated HTML on the server side as well.
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free