CVE CyberSecurity Database News

CVE-2024-45801 - DOMPurify XSS Bypass via Improper Nesting and Prototype Pollution

Poster -

DOMPurify is a popular JavaScript library designed to sanitize HTML, MathML, and SVG. It protects web applications from the dangerous threat of Cross-Site Scripting (XSS) by filtering out potentially harmful content before rendering it in the browser. Unfortunately, a serious vulnerability—CVE-2024-45801—was discovered in DOMPurify in early 2024. This flaw allows attackers to bypass the built-in checks and successfully inject malicious scripts into web applications that use DOMPurify for sanitization.

In this post, you'll get a comprehensive but easy-to-understand explanation of what went wrong, how an exploit works, and what you should do to defend yourself.

What Is DOMPurify?

DOMPurify is open-source, and it's widely used across the web because it's fast, tolerant of various input types, and operates on the browser's Document Object Model (DOM) for secure HTML sanitization. It’s a core part of many projects that allow user-supplied HTML, such as forums, wikis, and content editors.

Official DOMPurify Repository:
https://github.com/cure53/DOMPurify

What Is CVE-2024-45801?

CVE-2024-45801 is a serious security hole affecting DOMPurify versions before 2.5.4 and 3.1.3. The problem arises because DOMPurify's mechanism for checking the depth of nested elements, intended to prevent tricky XSS payloads, can be bypassed:

- Adversarial Nesting: By using creative and deeply nested HTML structures, attackers can slip malicious elements past DOMPurify's defenses.
- Prototype Pollution: Attackers can also manipulate JavaScript's built-in objects (like Object.prototype) so that DOMPurify's depth check isn't reliable.

Either attack can lead to XSS—malicious code running in a site visitor’s browser.

1. Escaping the Depth Check with Special Nesting

DOMPurify adds a limit on how deeply HTML elements can be nested, thinking that anything overly complex could be malicious. But by nesting elements in a particularly crafty manner, the malicious code can pass through without being noticed.

Example Attack Payload

<svg><g><g><g><g><g><g><g><g><g><g>
  <script>alert('XSS')</script>
</g></g></g></g></g></g></g></g></g></g></svg>

Normally, DOMPurify would block script tags. But due to flaws in the ways it counts nested elements and processes complex SVGs, these dangerous scripts could sneak through.

2. Weakening Depth Checks via Prototype Pollution

JavaScript objects can be altered in unexpected ways. If an attacker manages to pollute the Object.prototype (for example, by manipulating __proto__), functions relying on object checks to count element depth can be tricked.

Simulating Prototype Pollution

// Attacker code before DOMPurify runs
Object.prototype.depth = -999;

// Now DOMPurify will use this polluted 'depth' property,
// causing its depth check to malfunction.

Once this happens, DOMPurify can no longer reliably detect overly nested input. The result: an XSS payload goes undetected.

Here's a basic demo of how one might exploit this issue on a vulnerable application

Object.prototype.depth = -999; // Pollute global prototype

let dirty = `<svg><g><g><g><g><g><g><g><g><g><g>
  <script>alert('Hacked!')</script></g></g></g></g></g></g></g></g></g></svg>`;

let clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true});

document.body.innerHTML = clean; // The script tag may run if unpatched!

Impact and Severity

XSS vulnerabilities are among the most dangerous on the web. They can allow attackers to steal session cookies, log keystrokes, hijack accounts, and perform actions on behalf of users. Any application relying on DOMPurify for HTML sanitization is at risk if it's using the affected versions.

1. Upgrade Immediately

This vulnerability is fixed in DOMPurify 2.5.4 and 3.1.3. Older versions are unsafe.

With npm

npm install dompurify@latest

Or update your CDN to use the latest version.

- DOMPurify releases: https://github.com/cure53/DOMPurify/releases

2. No Workarounds

There are no known workarounds. Disabling user HTML input entirely is the only alternative if you can't upgrade. Do not trust your own attempts at patching—use the official update.

References

- Official CVE Entry
- DOMPurify Security Advisory *(Replace with official link when available)*
- DOMPurify Main Repository

Summary

CVE-2024-45801 is a major reminder that even established security tools like DOMPurify can harbor subtle bugs. If you're using DOMPurify in your web application, update to version 2.5.4 or 3.1.3 as soon as possible to protect your users from XSS.

If you need extra advice or face issues updating, check out the DOMPurify community discussions or consider getting security experts involved.

Timeline

Published on: 09/16/2024 19:16:11 UTC
Last modified on: 09/20/2024 12:31:20 UTC