CVE-2024-47875 Overview
CVE-2024-47875 is a Cross-Site Scripting (XSS) vulnerability affecting DOMPurify, the widely-used DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG content. The vulnerability allows attackers to bypass DOMPurify's sanitization through a nesting-based mutation XSS (mXSS) technique, potentially enabling the execution of malicious scripts in users' browsers.
Critical Impact
Attackers can bypass DOMPurify's XSS sanitization through deeply nested HTML elements, allowing malicious JavaScript to execute in the context of vulnerable web applications that rely on DOMPurify for user input sanitization.
Affected Products
- Cure53 DOMPurify versions prior to 2.5.0
- Cure53 DOMPurify versions prior to 3.1.3
- Web applications and frameworks utilizing vulnerable DOMPurify versions for HTML sanitization
Discovery Timeline
- October 11, 2024 - CVE-2024-47875 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-47875
Vulnerability Analysis
DOMPurify was vulnerable to a nesting-based mutation XSS (mXSS) attack. Mutation XSS is a class of XSS vulnerabilities that exploits the differences between how HTML is parsed during sanitization versus how it's rendered in the browser's DOM. In this case, the vulnerability stems from deeply nested HTML elements that could cause the sanitizer to produce output that mutates into executable JavaScript when processed by the browser.
The core issue relates to how browsers handle malformed or deeply nested HTML structures differently than the sanitization library expects. When HTML passes through DOMPurify and is then inserted into the DOM, the browser's parsing behavior can cause the sanitized output to "mutate" into a form that includes executable scripts, effectively bypassing the sanitization.
Root Cause
The root cause of this vulnerability is the absence of a maximum nesting depth limit in DOMPurify's sanitization process. Without this constraint, attackers could craft payloads with excessive element nesting that exploits parsing differences between the sanitizer's DOM implementation and browser rendering engines. The fix introduces a MAX_NESTING_DEPTH constant set to 500 to prevent such attacks.
Attack Vector
The attack is network-based and requires user interaction. An attacker must craft a specially structured HTML payload with deep nesting and deliver it to a victim through a web application that uses DOMPurify for sanitization. When the victim's browser renders the sanitized content, the nested structure mutates into executable JavaScript code.
// Security patch introducing MAX_NESTING_DEPTH limit
// Source: https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
/* Keep a reference to config to pass to hooks */
let CONFIG = null;
+ /* Specify the maximum element nesting depth to prevent mXSS */
+ const MAX_NESTING_DEPTH = 500;
/* Ideally, do not touch anything below this line */
/* ______________________________________________ */
Detection Methods for CVE-2024-47875
Indicators of Compromise
- Unusual patterns of deeply nested HTML elements in user-submitted content
- JavaScript errors or unexpected script execution on pages using DOMPurify
- Anomalous DOM structures in rendered pages that differ from expected sanitized output
- Reports of XSS attacks on applications previously believed to be protected by DOMPurify
Detection Strategies
- Monitor application logs for attempts to submit HTML content with unusually deep element nesting
- Implement Content Security Policy (CSP) reporting to detect unexpected inline script execution
- Use browser developer tools or automated testing to compare sanitized output against rendered DOM
- Scan application dependencies to identify vulnerable DOMPurify versions (< 2.5.0 or < 3.1.3)
Monitoring Recommendations
- Deploy Software Composition Analysis (SCA) tools to track DOMPurify versions across your codebase
- Enable CSP violation reporting to catch any XSS bypass attempts in production
- Implement client-side monitoring for unexpected script execution events
- Regularly audit third-party JavaScript libraries for known vulnerabilities
How to Mitigate CVE-2024-47875
Immediate Actions Required
- Update DOMPurify to version 2.5.0 or later (for 2.x branch) immediately
- Update DOMPurify to version 3.1.3 or later (for 3.x branch) immediately
- Audit applications to identify all instances where DOMPurify is used for HTML sanitization
- Review recent user-submitted content for potential exploitation attempts
Patch Information
Cure53 has released security patches addressing this nesting-based mXSS vulnerability. The fixes are available in the following commits:
The patch introduces a maximum element nesting depth of 500 to prevent mXSS attacks through deeply nested HTML structures. Additional regex improvements were also included to strengthen input validation.
For Debian LTS users, refer to the Debian LTS Announcement for distribution-specific update instructions.
Workarounds
- Implement additional server-side input validation to reject excessively nested HTML before it reaches DOMPurify
- Deploy strict Content Security Policy (CSP) headers to mitigate the impact of any XSS bypass
- Consider implementing a pre-processing step that flattens or limits HTML nesting depth before sanitization
- Use output encoding as a defense-in-depth measure alongside DOMPurify sanitization
# Update DOMPurify via npm
npm update dompurify@latest
# Or install specific patched versions
npm install [email protected] # For 2.x branch
npm install [email protected] # For 3.x branch
# Verify installed version
npm list dompurify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
