What is CVE-2024-45801?

CVE-2024-45801 is a high-severity vulnerability in Cure53 Dompurify, classified under Inefficient Regular Expression Complexity. CVSS score: 7.3/10. Published 2024-09-16.

How severe is CVE-2024-45801?

High severity. CVSS v3 base score is 7.3 out of 10.

Is CVE-2024-45801 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Cure53 Dompurify

CVE-2024-45801

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It…

Vulnerability class: ReDoS (Regular Expression Denial of Service)

EPSS: 0.001 (26.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Cure53 Dompurify — versions < 2.5.4, >=3.0.0, < 3.1.3

Weakness classification (CWE)

CWE-1333 — Inefficient Regular Expression Complexity

Public proof-of-concept exploits

mohitmaikhuri03/DEMO

References

https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 (x_refsource_CONFIRM)
https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (x_refsource_MISC)
https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-45801?: CVE-2024-45801 is a high-severity vulnerability in Cure53 Dompurify, classified under Inefficient Regular Expression Complexity. CVSS score: 7.3/10. Published 2024-09-16.
How severe is CVE-2024-45801?: High severity. CVSS v3 base score is 7.3 out of 10.
Is CVE-2024-45801 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.