[DOMPurify Security] New Release Versions 2.5.3 & 3.1.3 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Sat May 11 12:30:39 CEST 2024
*Intro*
New versions of DOMPurify were released today: DOMPurify 2.5.3 & 3.1.3
*Background*
It has been discovered that malicious HTML using special nesting
techniques can bypass the depth checking added to DOMPurify in recent
releases. It was also possible to use Prototype Pollution to weaken the
depth check.
The problems were reported and fixed in cooperation with @kevin-mizu and
@Ry0taK.
*Fix*
DOMPurify now has better protection against DOM Clobbering, Prototype
Pollution and bypasses regarding the recently discovered nesting-based
mXSS attacks. Stronger validation of nesting depth has been added, as
well as additional protection against nesting-based bypasses.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.5.3
https://github.com/cure53/DOMPurify/releases/tag/3.1.3
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20240511/2705db4f/attachment.sig>
More information about the DOMPurify-Security
mailing list