fix(deps): update dependency dompurify to v3 [security]#597
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency dompurify to v3 [security]#597renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
|
❌ Deploy Preview for practical-hodgkin-4543e2 failed.
|
|
ef138da to
be43aa6
Compare
|
be43aa6 to
b2f5607
Compare
❌ Deploy Preview for practical-hodgkin-4543e2 failed.
|
b2f5607 to
1ef59c2
Compare
1ef59c2 to
c11f2b6
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
2.3.8→3.2.4DOMPurify allows tampering by prototype pollution
CVE-2024-45801 / GHSA-mmhx-hmjr-r674
More information
Details
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by cure53/DOMPurify@1e52026 (3.x branch) and cure53/DOMPurify@26e1d69 (2.x branch).
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
DOMpurify has a nesting-based mXSS
CVE-2024-47875 / GHSA-gx9m-whjm-85jf
More information
Details
DOMpurify was vulnerable to nesting-based mXSS
fixed by 0ef5e537 (2.x) and
merge 943
Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking
POC is avaible under test
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
DOMPurify vulnerable to tampering by prototype polution
CVE-2024-48910 / GHSA-p3vf-v8qc-cwcr
More information
Details
dompurify was vulnerable to prototype pollution
Fixed by cure53/DOMPurify@d1dd037
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
DOMPurify allows Cross-site Scripting (XSS)
CVE-2025-26791 / GHSA-vhxf-7vqr-mrjg
More information
Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
cure53/DOMPurify (dompurify)
v3.2.4: DOMPurify 3.2.4Compare Source
v3.2.3: DOMPurify 3.2.3Compare Source
v3.2.2: DOMPurify 3.2.2Compare Source
v3.2.1: DOMPurify 3.2.1Compare Source
v3.2.0: DOMPurify 3.2.0Compare Source
v3.1.7: DOMPurify 3.1.7Compare Source
foreignObjectelement from the list of HTML entry-points, thanks @masatokinugawav3.1.6: DOMPurify 3.1.6Compare Source
v3.1.5: DOMPurify 3.1.5Compare Source
bower.js, thanks @HakumenNCv3.1.4: DOMPurify 3.1.4Compare Source
isNaNchecks, thanks @tulachv3.1.3: DOMPurify 3.1.3Compare Source
nodeTypeproperty, thanks @ssi02014v3.1.2: DOMPurify 3.1.2Compare Source
v3.1.1: DOMPurify 3.1.1Compare Source
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
v3.1.0: DOMPurify 3.1.0Compare Source
SAFE_FOR_XMLto enable better control over comment scrubbingv3.0.11: DOMPurify 3.0.11Compare Source
v3.0.10: DOMPurify 3.0.10Compare Source
v3.0.9: DOMPurify 3.0.9Compare Source
hasOwnPropertylogic, thanks @ssi02014console.warnmaking HappyDom happier, thanks @HugoPoiv3.0.8: DOMPurify 3.0.8Compare Source
v3.0.7: DOMPurify 3.0.7Compare Source
v3.0.6: DOMPurify 3.0.6Compare Source
v3.0.5: DOMPurify 3.0.5Compare Source
v3.0.4: DOMPurify 3.0.4Compare Source
shadowrootmodwhich should beshadowrootmode, thanks @masatokinugawav3.0.3: DOMPurify 3.0.3Compare Source
TRUSTED_TYPES_POLICYconfiguration option, thanks @dejangfeDropShadowto the SVG filter allow-list, thanks @SelfMadeSystemv3.0.2: DOMPurify 3.0.2Compare Source
ALLOWED_URI_REGEXPnot being reset, thanks @mukilanemprescriptstag to allowed MathML elements, thanks @duyhai94v3.0.1: DOMPurify 3.0.1Compare Source
v3.0.0: DOMPurify 3.0.0Compare Source
ALLOW_SELF_CLOSE_IN_ATTRflag, thanks @edg2s @AndreVirtimoshadowrootmode, thanks @mfreed7NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead
v2.5.9: DOMPurify 2.5.9Compare Source
v2.5.8: DOMPurify 2.5.8Compare Source
v2.5.7: DOMPurify 2.5.7Compare Source
foreignObjectelement from the list of HTML entry-points, thanks @masatokinugawav2.5.6: DOMPurify 2.5.6Compare Source
v2.5.5: DOMPurify 2.5.5Compare Source
bower.js, thanks @HakumenNCv2.5.4: DOMPurify 2.5.4Compare Source
isNaNchecks affecting MSIE, thanks @tulachv2.5.3: DOMPurify 2.5.3Compare Source
v2.5.2: DOMPurify 2.5.2Compare Source
v2.5.1: DOMPurify 2.5.1Compare Source
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
v2.5.0: DOMPurify 2.5.0Compare Source
SAFE_FOR_XMLto enable better control over comment scrubbingv2.4.9: DOMPurify 2.4.9Compare Source
v2.4.8: DOMPurify 2.4.8Compare Source
v2.4.7: DOMPurify 2.4.7Compare Source
v2.4.6: DOMPurify 2.4.6Compare Source
noframeselement is permitted, thanks @leeNv2.4.5: DOMPurify 2.4.5Compare Source
v2.4.4: DOMPurify 2.4.4Compare Source
ALLOW_SELF_CLOSE_IN_ATTRflag, thanks @edg2s @AndreVirtimoshadowrootmode, thanks @mfreed7v2.4.3: DOMPurify 2.4.3Compare Source
v2.4.2: DOMPurify 2.4.2Compare Source
v2.4.1: DOMPurify 2.4.1Compare Source
ALLOWED_NAMESPACESfor better XML handling, thanks @kevin-deyoungster @tosmolkaSAFE_FOR_TEMPLATESistruev2.4.0: DOMPurify 2.4.0Compare Source
v2.3.12: DOMPurify 2.3.12Compare Source
v2.3.11: DOMPurify 2.3.11Compare Source
v2.3.10: DOMPurify 2.3.10Compare Source
v2.3.9: DOMPurify 2.3.9Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.