CVE-2024-21541 HIGH

CVE-2024-21541

Vendor N/A
Product dom-iterator
Weakness CWE-94 · Code injection
Published November 13, 2024
Last update January 16, 2025

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

What the vulnerability does

01Description

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

Key dates

02Disclosure timeline

November 13, 2024 CVE published
January 16, 2025 Record updated