CVE-2024-48910 - DOMPurify Prototype Pollution Vulnerability and patch in 2.4.2

DOMPurify is an incredibly fast and efficient sanitizer that helps protect web applications from Cross-Site Scripting (XSS) vulnerabilities by cleaning HTML, MathML, and SVG code. However, before version 2.4.2, it was prone to a prototype pollution vulnerability. In this post, we'll examine the details of this vulnerability (CVE-2024-48910), demonstrate an exploit, and provide guidance on how to mitigate this issue.

Prototype Pollution Vulnerability

Prototype pollution is a security vulnerability where an attacker can inject properties into existing JavaScript language constructs such as objects. This can lead to various kinds of security issues, including unauthorized access to sensitive data or the ability to remove important security features.

For DOMPurify, this flaw was identified in versions 2.4.1 and earlier. Attackers could manipulate DOMPurify's behavior in an unintended manner, potentially leading to harmful consequences.

Exploit Details

The prototype pollution problem in DOMPurify arises from the fact that the library does not properly validate user-supplied configuration inputs. As a result, an attacker can submit malicious configuration options that infiltrate and manipulate DOMPurify's processing logic. By inheriting or extending DOM elements or properties, they can potentially exploit this vulnerability to execute arbitrary code on the victim's system.

Let's look at an example exploit using DOMPurify (assuming the target is using version <= 2.4.1)

const DOMPurify = require('dompurify');
const window = require('jsdom').jsdom().defaultView;

// Malicious configuration object that causes prototype pollution
const maliciousConfig = {
  RETURN_DOM: true,
  RETURN_DOM_FRAGMENT: true,
  ADD_TAGS: ['!onmouseover=alert.constructorprototype.xss_detected'],
};

// Call DOMPurify using the malicious configuration object
const sanitizedHTML = DOMPurify.sanitize('<p>Hello, world!</p>', maliciousConfig, window);

// The sanitizedHTML now contains an "onmouseover" event that will
// execute arbitrary code when the mouse cursor is over the element

In this example, we created a malicious configuration object with an ADD_TAGS property that adds an !onmouseover event handler with a harmful payload. By sanitizing an innocuous HTML input (<p>Hello, world!</p>), we successfully triggered prototype pollution and injected the xss_detected property into the alert constructor prototype.

Mitigation

The DOMPurify project has addressed this vulnerability in version 2.4.2, which was released on April 4, 2021 (see original references below). By implementing stricter input validation for configuration options, the library prevents the prototype pollution exploit detailed above.

To patch this vulnerability, you should update your DOMPurify dependency to version 2.4.2 or later. In most cases, this will involve updating the version number in your package.json file and reinstalling your project's dependencies.

Original References

1. DOMPurify's GitHub repository - https://github.com/cure53/DOMPurify
2. DOMPurify 2.4.2 release notes - https://github.com/cure53/DOMPurify/releases/tag/2.4.2
3. CVE-2024-48910 details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910

Conclusion

In this post, we examined the details of the DOMPurify prototype pollution vulnerability (CVE-2024-48910), provided an example exploit, and discussed mitigation steps. By staying vigilant and updating your dependencies regularly, you can significantly reduce the risk of these types of security issues in your web applications.

Timeline

Published on: 10/31/2024 15:15:15 UTC
Last modified on: 11/01/2024 12:57:03 UTC