CVE-2024-45801 – Cross-site scripting (XSS) sanitization bypass
Severity: Low2025-12-19
Abstract
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
The Oxygen products incorporate DOMPurify and Swagger UI as third‑party libraries. This advisory was opened to address the potential impact of this third‑party libraries vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Feedback v5.0 and older | None | N/A |
| Oxygen Content Fusion v7.0 and older | Low | Oxygen Content Fusion 7.1 build build 2024100818 |
| Oxygen XML Editor v26.1 and older | None | Oxygen XML Editor 26.1 build build 2025060207 |
| Oxygen XML Author v26.1 and older | None | Oxygen XML Editor 26.1 build build 2025060207 |
| Oxygen XML Developer v26.1 and older | None | Oxygen XML Editor 26.1 build build 2025060207 |
| Oxygen Publishing Engine v26.1 and older | None | Oxygen Publishing Engine 26.1 build build 2025053100 |
| Oxygen XML WebHelp v26.1 and older | None | Oxygen XML WebHelp 26.1 build build 2025053008 |
Detail
CVE-2024-45801
Severity: High
CVSS Score: 7.3
CVE-2024-45801 is an XSS sanitization bypass in DOMPurify. Special HTML nesting and prototype‑pollution techniques can defeat DOMPurify’s depth checks, enabling cross‑site scripting. The issue is fixed upstream in DOMPurify 2.5.4 and 3.1.3. Swagger UI bundles DOMPurify, so deployments that include Swagger UI may be indirectly exposed. Upstream states there are no known workarounds.
We reviewed all usage of DOMPurify directly and transitively via Swagger UI. Where applicable, we updated DOMPurify to a fixed version or removed Swagger UI.
Oxygen Content Fusion is affected due to swagger-ui in the content-fusion-indexing service. We removed the springdoc-openapi-ui dependency starting with version 7.1 build 2024100818.
In Oxygen XML WebHelp DOMPurify library was updated to a version that fixes this vulnerability. Fixed in 26.1 build 2025053008 and newer versions.
In Oxygen Publishing Engine the vulnerability was fixed via the same DOMPurify update. Fixed in 26.1 build 2025053100 and newer versions.
In Oxygen XML Editor the vulnerability was fixed in 26.1 build 2025060207 and newer versions.
In Oxygen Feedback the Swagger UI is disabled in production. We consider this not exploitable in product deployments.
