This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: DOMPurify < 2.4.2 suffers from **Prototype Pollution**.β¦
π‘οΈ **CWE**: CWE-1321 (Prototype Pollution). π **Flaw**: The sanitizer fails to properly handle specific HTML/SVG attributes, allowing malicious payloads to inject properties into `Object.prototype`.
Q3Who is affected? (Versions/Components)
π₯ **Vendor**: Cure53. π¦ **Product**: DOMPurify (JS library for HTML/MathML/SVG). β οΈ **Affected**: Versions **prior to 2.4.2**. β **Safe**: v2.4.2+.
Q4What can hackers do? (Privileges/Data)
π **Impact**: High (CVSS 9.8). π΅οΈ **Capabilities**: Full **Prototype Pollution**.β¦
π **Threshold**: **LOW**. π **Vector**: Network (AV:N). π« **Auth**: None required (PR:N). π±οΈ **UI**: None required (UI:N). Easy to exploit via standard web requests.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Public Exp**: **YES**. π **PoCs**: Multiple Proof-of-Concepts available on GitHub (e.g., Mitchellzhou1, Alex-Acero-Security). π **Wild Exploitation**: Risk is high due to accessible PoCs.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for DOMPurify usage in frontend code. π **Version**: Verify installed version is **< 2.4.2**. π§ͺ **Test**: Use provided PoCs to test if prototype pollution occurs on sanitized inputs.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **YES**. π **Date**: Oct 31, 2024. π οΈ **Patch**: Upgrade to **DOMPurify v2.4.2** or later. π **Ref**: GitHub Advisory GHSA-p3vf-v8qc-cwcr.
Q9What if no patch? (Workaround)
π§ **Workaround**: If upgrade is impossible, implement strict **Input Validation** on HTML/SVG content before passing to DOMPurify. π« **Disable**: Temporarily disable DOMPurify if not critical (high risk).
Q10Is it urgent? (Priority Suggestion)
π΄ **Priority**: **CRITICAL**. π¨ **Urgency**: Immediate action required. High CVSS score + Public PoCs + No Auth needed = **High Risk** for all web apps using this library.