MEDIUM · CVSS 6.1
CVE-2024-47875 — DOMPurify bypass on sandboxed iframes
A DOMPurify bypass let an attacker smuggle executable JavaScript through the sanitizer under specific parser conditions, re-enabling XSS in apps that relied on DOMPurify as the only defense.
Affects
- DOMPurify < 3.2.0
What an attacker does
The attacker supplies user content containing a crafted HTML fragment. DOMPurify's parser + serializer disagreed on specific malformed attribute encodings; the serialized output contained an executable `<script>` despite the parser having rejected it.
How to detect
`npm ls dompurify`.
How to fix
Upgrade DOMPurify to 3.2.0+. Additionally: layer a strict CSP that forbids inline scripts.
How Securie catches it
Securie's XSS specialist checks DOMPurify version + CSP presence together.