DOMPurify Directory Traversal Vulnerability in Development Helper Script

A directory traversal vulnerability has been identified in DOMPurify versions through 3.2.5, specifically within the 'scripts/server.js' file. The issue arises because the script does not properly validate user-controlled data when constructing file paths, allowing access to files outside the intended directory. This vulnerability could be exploited to read sensitive information or modify files by navigating the file system using '../' sequences. Although the vulnerability exists in a development helper script that must be manually started, it has been reported as a high-severity issue by a third party.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the intended directory, including sensitive system files. In a proof-of-concept, this vulnerability was demonstrated by accessing the '/etc/passwd' file, which could be indicative of a more severe exploitation.

Reproduction

The vulnerability can be reproduced by sending a request to the local server started by the DOMPurify development script. The request must include a 'path' query parameter that uses '../' segments to navigate to a sensitive file, such as '/etc/passwd'.

Remediation

Users can update to DOMPurify version 3.2.6, which addresses this vulnerability.