CVE-2024-48910: DOMPurify vulnerable to tampering by prototype polution
Published Oct 31, 2024
·Updated
DOMPurify could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Affected Software
3 affected componentsFixes available
npm/dompurify<2.4.2
2.4.2
Cure53 DOMPurify<2.4.2
IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1
Remediation
Event History
Oct 31, 2024
CVE Published
via MITRE·02:22 PM
Data Sourced
via MITRE·02:22 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·02:23 PM
Data Sourced
via Red Hat·03:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·03:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
RemedyAffected Software
Apr 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-48910?
CVE-2024-48910 is a high severity vulnerability that allows a remote authenticated attacker to execute arbitrary code due to prototype pollution.
2
How do I fix CVE-2024-48910?
To fix CVE-2024-48910, upgrade DOMPurify to version 2.4.2 or later.
3
Who is affected by CVE-2024-48910?
CVE-2024-48910 affects applications that use the DOMPurify package versions prior to 2.4.2.
4
What type of vulnerability is CVE-2024-48910?
CVE-2024-48910 is a prototype pollution vulnerability that can lead to remote code execution.
5
Can CVE-2024-48910 be exploited remotely?
Yes, CVE-2024-48910 can be exploited remotely by an authenticated attacker.