Skip to content

⬆️(dependencies) update dompurify to v3.2.4 [SECURITY]#2687

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-dompurify-vulnerability
Open

⬆️(dependencies) update dompurify to v3.2.4 [SECURITY]#2687
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-dompurify-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
dompurify 3.2.33.2.4 age confidence

GitHub Vulnerability Alerts

CVE-2024-45801

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by cure53/DOMPurify@1e52026 (3.x branch) and cure53/DOMPurify@26e1d69 (2.x branch).

CVE-2024-47875

DOMpurify was vulnerable to nesting-based mXSS

fixed by 0ef5e537 (2.x) and
merge 943

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

CVE-2024-48910

dompurify was vulnerable to prototype pollution

Fixed by cure53/DOMPurify@d1dd037

CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

Release Notes

cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

  • Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
  • Added a new feature to allow specific hook removal, thanks @​davecardwell
  • Added purify.js and purify.min.js to exports, thanks @​Aetherinox
  • Added better logic in case no window object is president, thanks @​yehuya
  • Updated some dependencies called out by dependabot
  • Updated license files etc to show the correct year

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Feb 14, 2025
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 3 times, most recently from 3bfeb3d to 8abcceb Compare February 19, 2025 14:30
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 79cb035 to 0abd08e Compare March 7, 2025 13:59
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 2f1e837 to 7f44589 Compare March 20, 2025 08:37
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 5 times, most recently from 99c9dc9 to 87b459b Compare April 15, 2025 12:49
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 87b459b to 3474df1 Compare April 22, 2025 12:23
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 3 times, most recently from 04f141e to f8a8b41 Compare May 6, 2025 08:04
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 0e78c00 to 2c07501 Compare May 23, 2025 13:39
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 2c07501 to cc73b80 Compare May 26, 2025 15:47
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 4 times, most recently from 0cc5a2b to 6e91f70 Compare June 13, 2025 09:44
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 5 times, most recently from b4d8cd8 to 59831f2 Compare June 25, 2025 17:09
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 59831f2 to 72b4588 Compare July 1, 2025 08:38
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from ff102db to 5460d35 Compare July 7, 2025 09:21
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 4 times, most recently from ea63910 to ae4ebe0 Compare July 15, 2025 13:38
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 3 times, most recently from 5e38a45 to ab30a0f Compare July 17, 2025 17:04
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from ab30a0f to 4631cf0 Compare October 24, 2025 11:22
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 4631cf0 to c80a323 Compare November 6, 2025 15:04
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 26b711b to 8bcc5eb Compare November 25, 2025 09:34
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 9c39cfe to 1ff88f1 Compare December 12, 2025 13:53
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 1ff88f1 to 1c50558 Compare January 7, 2026 15:23
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 1c50558 to 2f2c045 Compare January 22, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants