From dompurify-security at lists.ruhr-uni-bochum.de Sat May 11 12:30:39 2024 From: dompurify-security at lists.ruhr-uni-bochum.de (Security Announcements for DOMPurify and related tools) Date: Sat, 11 May 2024 12:30:39 +0200 Subject: [DOMPurify Security] New Release Versions 2.5.3 & 3.1.3 (Security Issue) Message-ID: *Intro* New versions of DOMPurify were released today: DOMPurify 2.5.3 & 3.1.3 *Background* It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. The problems were reported and fixed in cooperation with @kevin-mizu and @Ry0taK. *Fix* DOMPurify now has better protection against DOM Clobbering, Prototype Pollution and bypasses regarding the recently discovered nesting-based mXSS attacks. Stronger validation of nesting depth has been added, as well as additional protection against nesting-based bypasses. *Packages* Updated packages are available here: https://github.com/cure53/DOMPurify/releases/tag/2.5.3 https://github.com/cure53/DOMPurify/releases/tag/3.1.3 EOF -- Fon +49 1520 8675 782 PGP 0xC26C858090F70ADA cure53.de || keybase.io/cure53 || @cure53berlin -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: