DOMPurify is a popular JavaScript library designed to sanitize HTML, MathML, and SVG inputs to prevent cross-site scripting (XSS) attacks by neutralizing malicious code embedded in user-generated content. CVE-2024-47875 identifies a critical vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a nesting-based mutation XSS (mXSS) flaw. This vulnerability arises when DOMPurify fails to correctly sanitize nested elements or complex input structures, allowing attackers to inject malicious scripts that execute in the victim's browser context. The flaw affects all DOMPurify versions prior to 2.5.0 and 3.1.3, with the issue fixed in these releases. The CVSS v3.1 score of 10.0 reflects the vulnerability's severity: it is remotely exploitable over the network without any privileges or user interaction, and it impacts confidentiality, integrity, and availability (C, I, A) of affected systems. Exploitation could lead to session hijacking, data theft, defacement, or further attacks on internal networks. Although no active exploits have been reported, the widespread adoption of DOMPurify in web applications globally makes this a significant risk. The vulnerability's complexity lies in the subtlety of nested input sanitization failures, requiring developers to update to patched versions promptly.

For European organizations, the impact of CVE-2024-47875 can be severe due to the extensive use of DOMPurify in web applications, including content management systems, e-commerce platforms, and internal portals. Successful exploitation could lead to unauthorized disclosure of sensitive data, including personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Integrity breaches could allow attackers to manipulate displayed content or inject fraudulent information, undermining trust and potentially causing financial losses. Availability impacts might include denial-of-service conditions triggered by malicious scripts. Sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitivity of their data and services. The vulnerability's remote and unauthenticated exploitability increases the attack surface, especially for public-facing applications. Additionally, the cross-site scripting nature facilitates phishing and social engineering attacks, amplifying the threat. Organizations failing to patch promptly risk exposure to advanced persistent threats and automated exploit tools once they emerge.

European organizations should immediately audit their web applications and libraries to identify usage of DOMPurify versions prior to 2.5.0 or 3.1.3. The primary mitigation is to upgrade DOMPurify to version 2.5.0 or later, or 3.1.3 or later, where the vulnerability is fixed. Developers should review custom sanitization logic to ensure no fallback to vulnerable versions occurs. Implement Content Security Policy (CSP) headers with strict script-src directives to limit script execution sources and reduce impact of potential XSS. Employ runtime application self-protection (RASP) tools that can detect and block XSS payloads dynamically. Conduct thorough penetration testing focusing on nested input scenarios to validate remediation. Educate development teams about secure coding practices related to input sanitization and nested content handling. Monitor web application logs and security alerts for suspicious activity indicative of attempted exploitation. Finally, maintain an incident response plan tailored to XSS incidents to enable rapid containment and recovery.