DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Weakness
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dompurify | Cure53 | * | 2.4.2 (excluding) |
| Red Hat Advanced Cluster Security 4.4 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.4.6-2 | * |
| Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.5.5-3 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.14.0-202411130434.p0.gb57ebe7.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202501150934.p0.g0244dff.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.14.18-2 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.14.18-3 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.14.18-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.15.14-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.15.14-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.15.14-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.16.5-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.17.2-1 | * |
| Red Hat OpenShift Container Platform 4.12 | RedHat | openshift4/ose-console:sha256:2281a7cabe90a7f399d8c891b7df539ff66cc521f859cc0d0d8a9f12c5e6511e | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-console:sha256:205f1a4ac1a6d1ca7fc14a5b400edefbf0e04a2a475b106c53e28cceebdf70ce | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-console:sha256:38e465d97ace4e243b4ed90607aede5f8fb7089dec28038dccec49bcde1040a6 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-console:sha256:9c69c2600d5d0317fcbc2650fc4b52d319a32c3df9db6b5543b6ff254c3b9fe5 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-console-rhel9:sha256:fd5d57dc08ec1ea279a331a8b17edb23d0a4a6dddda7e9f7912d77c6f50046af | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-console-rhel9:sha256:2a838d7f96c86d893680eab335bd6acbfd43fc5bf02839ed0fc90006daa53d21 | * |
| Red Hat OpenShift Container Platform 4.18 | RedHat | openshift4/ose-console-rhel9:sha256:ea693854d11666860a69af5c6acfa65c931da56e16e4fab8b0e9541c7be6b953 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | openshift4/ose-console-rhel9:sha256:b9a09e5806f5a9ace5cfd36f15a3362117eb47a9528607a1d7e25fe647ad4bac | * |
| Red Hat OpenShift Container Platform 4.2 | RedHat | openshift4/ose-console-rhel9:sha256:792c7a8d3475e21a5949550bbbe472ff6b001ed050bb9ebb1ff29c2ed8af1cbc | * |
| Node-dompurify | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/1.html
- https://cwe.mitre.org/data/definitions/180.html
- https://cwe.mitre.org/data/definitions/77.html