CVE-2024-47875

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098	Product
https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f	Patch
https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a	Patch
https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cure53:dompurify::::::::
	cpe:2.3:a:cure53:dompurify::::::::

History

29 Sep 2025, 17:29

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cure53:dompurify::::::::
First Time		Cure53 dompurify Cure53
References	~~() https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098 -~~	() https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098 - Product
References	~~() https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f -~~	() https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f - Patch
References	~~() https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a -~~	() https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a - Patch
References	~~() https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf -~~	() https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf - Exploit, Third Party Advisory

15 Oct 2024, 12:58

Type	Values Removed	Values Added
Summary		(es) DOMPurify es un desinfectante de XSS ultrarrápido, ultratolerante y exclusivo de DOM para HTML, MathML y SVG. DOMpurify era vulnerable a mXSS basado en anidamiento. Esta vulnerabilidad se solucionó en 2.5.0 y 3.1.3.

11 Oct 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-11 15:15

Updated : 2025-09-29 17:29

NVD link : CVE-2024-47875

Mitre link : CVE-2024-47875

CVE.ORG link : CVE-2024-47875

JSON object : View

Products Affected

cure53

dompurify

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

10.0 /10