CVE-2024-48910

CRITICAL

DOMPurify < 2.4.2 - Prototype Pollution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2024-48910. PoCs published by Galaxy-sc, Mitchellzhou1, Alex-Acero-Security.

AI-analyzed exploit summary This repository contains a Go-based scanner designed to detect vulnerable deployments of DOMPurify (versions up to 3.4.4) by analyzing JavaScript bundles for the presence of DOMPurify and the `<selectedcontent>` tag, which indicates a potential XSS bypass vulnerability.

Description

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

Exploits (4)

github SCANNER
by Galaxy-sc · gopoc
https://github.com/Galaxy-sc/CVE-2024-48910-dompurify-xss-detector

This repository contains a Go-based scanner designed to detect vulnerable deployments of DOMPurify (versions up to 3.4.4) by analyzing JavaScript bundles for the presence of DOMPurify and the `<selectedcontent>` tag, which indicates a potential XSS bypass vulnerability.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: DOMPurify < 3.4.5
No auth needed
Prerequisites: Access to the target URL · JavaScript bundles must be accessible
devstral-2 · analyzed Jun 04, 2026 Full analysis →
github SCANNER
by Galaxy-sc · gopoc
https://github.com/Galaxy-sc/CVE-2024-48910-dompurify-mxss-detector

This repository contains a Go-based scanner designed to detect vulnerable deployments of DOMPurify (versions < 3.4.5) by analyzing JavaScript bundles for the presence of specific patterns indicative of the mXSS vulnerability involving the `<selectedcontent>` tag.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: DOMPurify < 3.4.5
No auth needed
Prerequisites: Access to the target URL · JavaScript bundles must be accessible
devstral-2 · analyzed Jun 03, 2026 Full analysis →
nomisec WORKING POC
by Mitchellzhou1 · poc
https://github.com/Mitchellzhou1/CVE-2024-48910-PoC

The repository provides a functional proof-of-concept for CVE-2024-48910, demonstrating a prototype pollution vulnerability in DOMPurify that allows bypassing XSS protections by manipulating `Object.prototype.hasOwnProperty` and `ALLOWED_ATTR`. The PoC includes executable JavaScript code that exploits the vulnerability to achieve XSS.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: DOMPurify versions prior to 2.4.2
No auth needed
Prerequisites: A vulnerable version of DOMPurify (e.g., 2.4.1)
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Alex-Acero-Security · poc
https://github.com/Alex-Acero-Security/CVE-2024-48910-POC

This repository contains a functional proof-of-concept for CVE-2024-48910, demonstrating a prototype pollution vulnerability in a Node.js server. The exploit leverages unsafe object merging to manipulate `Object.prototype`, which can lead to arbitrary code execution in client-side JavaScript.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Node.js applications with unsafe object merging
No auth needed
Prerequisites: A vulnerable Node.js server with unsafe object merging · Ability to send crafted HTTP requests to the `/api/config` endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.1
EPSS 0.0259
EPSS Percentile 86.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-1321
Status published
Products (2)
cure53/dompurify < 2.4.2
npm/dompurify 0 - 2.4.2npm
Published Oct 31, 2024
Tracked Since Feb 18, 2026