{"id":"CVE-2024-47875","summary":"DOMPurify nesting-based mXSS","details":"DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.","aliases":["GHSA-gx9m-whjm-85jf"],"modified":"2026-04-10T05:18:16.781420Z","published":"2024-10-11T14:59:27.641Z","related":["ALSA-2024:8327","ALSA-2024:8678","ALSA-2024:9473","CGA-vwxq-5h3q-2fvp","openSUSE-SU-2025:14663-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47875.json","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2025/Apr/14"},{"type":"WEB","url":"https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47875.json"},{"type":"ADVISORY","url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47875"},{"type":"FIX","url":"https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f"},{"type":"FIX","url":"https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cure53/dompurify","events":[{"introduced":"5dcf2a012c70ea8b65c0ecff7de86a61d7d98181"},{"fixed":"3fe78d7501103832166613bb1452985dd4674008"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47875.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"}]}