CVE-2024-45801 Overview
CVE-2024-45801 is a Cross-Site Scripting (XSS) sanitizer bypass vulnerability affecting DOMPurify, a widely-used DOM-only, high-performance XSS sanitizer library for HTML, MathML, and SVG content. The vulnerability enables attackers to bypass DOMPurify's depth checking mechanism through specially crafted malicious HTML using advanced nesting techniques. Additionally, the flaw can be exploited via Prototype Pollution to weaken the depth check, rendering the sanitizer ineffective against XSS attacks.
DOMPurify is extensively used in web applications to sanitize user-supplied HTML content before rendering, making this bypass vulnerability particularly concerning for applications relying on it as a primary defense against XSS attacks.
Critical Impact
Attackers can inject and execute arbitrary JavaScript code in victims' browsers by bypassing DOMPurify's sanitization, potentially leading to session hijacking, credential theft, and malicious actions performed on behalf of authenticated users.
Affected Products
- Cure53 DOMPurify versions prior to 2.5.4
- Cure53 DOMPurify versions prior to 3.1.3
Discovery Timeline
- 2024-09-16 - CVE-2024-45801 published to NVD
- 2025-09-22 - Last updated in NVD database
Technical Details for CVE-2024-45801
Vulnerability Analysis
This vulnerability exploits weaknesses in DOMPurify's depth tracking mechanism, which was implemented to prevent deeply nested HTML structures that could potentially bypass sanitization. The attack leverages two distinct techniques: special HTML nesting patterns that evade the depth checker, and Prototype Pollution to manipulate the depth checking logic itself.
The vulnerability falls under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). When successfully exploited, malicious HTML content passes through the sanitizer unaltered, enabling the execution of arbitrary JavaScript in the context of the vulnerable application.
The network-accessible nature of this vulnerability means any web application using affected DOMPurify versions to sanitize user-controlled HTML input is potentially vulnerable. User interaction is required for exploitation, typically involving a victim viewing a page containing attacker-supplied content that has been "sanitized" by the vulnerable DOMPurify instance.
Root Cause
The root cause lies in the insufficient hardening of DOMPurify's depth tracking code against Prototype Pollution attacks. The depth checking mechanism could be manipulated through JavaScript's prototype chain, allowing attackers to influence the sanitization logic. Additionally, the nesting depth validation had gaps that could be exploited through carefully constructed HTML structures.
The vulnerability specifically relates to how numeric values were validated in the depth checking code. The Number.isNaN function was not properly protected (unapplied) against prototype pollution, allowing attackers to potentially manipulate the behavior of numeric checks used in depth validation.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts malicious HTML that exploits either the nesting technique bypass or Prototype Pollution weakness:
Nesting Technique Bypass: The attacker creates deeply nested HTML structures using specific element combinations that evade the depth checker while still containing executable JavaScript payloads.
Prototype Pollution Attack: The attacker first pollutes JavaScript prototypes (e.g., through gadgets in the application or via other vulnerabilities) to weaken the depth check validation, then submits malicious HTML that would normally be caught by a functioning depth checker.
The patched code hardens the depth tracking by wrapping Number.isNaN with the unapply function to prevent prototype pollution from affecting its behavior:
// Security patch - Hardening depth tracking against prototype pollution
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
const regExpTest = unapply(RegExp.prototype.test);
const typeErrorCreate = unconstruct(TypeError);
+const numberIsNaN = unapply(Number.isNaN);
/**
* Creates a new function that calls the given function with a specified thisArg and arguments.
Source: DOMPurify Security Commit
The fix was also merged into the 2.x branch:
// Security patch for 2.x branch
var stringTrim = unapply(String.prototype.trim);
var regExpTest = unapply(RegExp.prototype.test);
var typeErrorCreate = unconstruct(TypeError);
+var numberIsNaN = unapply(Number.isNaN);
function unapply(func) {
return function (thisArg) {
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
Source: DOMPurify 2.x Security Commit
Detection Methods for CVE-2024-45801
Indicators of Compromise
- Unusual JavaScript execution events following user-submitted HTML content rendering
- Web application firewall (WAF) logs showing deeply nested HTML structures or prototype pollution patterns
- Client-side errors related to unexpected DOM modifications or script execution
- Reports of suspicious behavior from users after interacting with user-generated content
Detection Strategies
- Implement Content Security Policy (CSP) headers with strict script-src directives to detect and block unauthorized script execution
- Monitor application logs for patterns indicative of XSS attempts, including unusual HTML structures with excessive nesting
- Deploy client-side monitoring to detect prototype pollution attempts targeting built-in JavaScript objects
- Use SentinelOne Singularity XDR to identify anomalous browser behavior and potential XSS exploitation patterns
Monitoring Recommendations
- Enable verbose logging for content sanitization operations to track potential bypass attempts
- Monitor for client-side JavaScript errors that may indicate exploitation attempts or DOM manipulation
- Implement real-time alerting for CSP violation reports indicating blocked script execution
- Track DOMPurify version deployments across your application portfolio using software composition analysis (SCA) tools
How to Mitigate CVE-2024-45801
Immediate Actions Required
- Upgrade DOMPurify to version 2.5.4 or later for the 2.x branch, or version 3.1.3 or later for the 3.x branch
- Audit all applications using DOMPurify and prioritize updates for internet-facing applications that process user-submitted HTML
- Implement additional defense-in-depth measures such as strict Content Security Policy headers
- Review application code for potential Prototype Pollution vulnerabilities that could compound this issue
Patch Information
Cure53 has released security patches addressing this vulnerability in DOMPurify versions 2.5.4 and 3.1.3. The patches harden the depth tracking code against prototype pollution by using the unapply pattern on Number.isNaN and other critical functions.
The security commits are available for review:
For detailed information about this vulnerability, see the GitHub Security Advisory.
Workarounds
- There are no known workarounds for this vulnerability; upgrading to a patched version is the only remediation
- As a temporary defense-in-depth measure, implement strict Content Security Policy headers to limit script execution
- Consider server-side HTML sanitization as an additional layer while planning the upgrade
- Limit or disable user-submitted HTML features until the patch can be deployed
# Update DOMPurify via npm
npm update dompurify@latest
# Or install specific patched versions
npm install [email protected] # For 3.x users
npm install [email protected] # For 2.x users
# Verify installed version
npm list dompurify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
