DOMPurify is a popular client-side sanitization library used to cleanse HTML, MathML, and SVG inputs to prevent cross-site scripting (XSS) attacks by removing or neutralizing malicious code. CVE-2024-48910 identifies a prototype pollution vulnerability classified under CWE-1321, which occurs when an attacker can manipulate the prototype of a base object in JavaScript. This manipulation can lead to unexpected behavior in the application, including the possibility of executing arbitrary code or bypassing security mechanisms that rely on object properties. The vulnerability affects all DOMPurify versions prior to 2.4.2 and does not require any privileges or user interaction, making it remotely exploitable over the network. The CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates that the attack vector is network-based, with low attack complexity, no privileges or user interaction required, and results in high confidentiality and integrity impacts without affecting availability. Although no public exploits have been reported yet, the critical nature of the flaw and DOMPurify’s widespread use in web applications make it a significant threat. The vulnerability was publicly disclosed on October 31, 2024, and fixed in version 2.4.2 of DOMPurify. Organizations using vulnerable versions should prioritize patching and review their usage of DOMPurify to ensure no unsafe patterns remain.

For European organizations, the impact of this vulnerability is substantial. DOMPurify is commonly integrated into web applications to sanitize user-generated content and prevent XSS attacks. Exploitation of this prototype pollution flaw could allow attackers to inject malicious scripts, leading to data theft, session hijacking, or unauthorized actions within affected applications. This compromises confidentiality and integrity of sensitive data, including personal information, financial records, and intellectual property. Sectors such as finance, healthcare, government, and critical infrastructure, which rely heavily on secure web applications, are particularly at risk. The vulnerability’s ease of exploitation and lack of required authentication increase the likelihood of attacks, potentially resulting in regulatory non-compliance under GDPR and other data protection laws. Additionally, compromised web applications could serve as a foothold for further lateral movement within networks, amplifying the threat. The absence of availability impact means systems remain operational but compromised, which can delay detection and response.

1. Immediately upgrade all instances of DOMPurify to version 2.4.2 or later to apply the official patch addressing the prototype pollution vulnerability. 2. Conduct a thorough audit of all web applications utilizing DOMPurify to identify and remediate unsafe usage patterns, such as unsanitized inputs or improper integration. 3. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules tuned to detect and block prototype pollution and related injection attempts. 5. Monitor application logs and network traffic for unusual behavior indicative of exploitation attempts, focusing on anomalous object property modifications. 6. Educate development teams on secure coding practices related to prototype pollution and sanitization libraries. 7. Establish a rapid patch management process to respond promptly to future vulnerabilities in third-party libraries. 8. Consider isolating critical web application components to limit the blast radius in case of compromise.