High severity7.3NVD Advisory· Published Nov 13, 2024· Updated Apr 29, 2026

CVE-2024-21541

Description

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dom-iteratornpm	< 1.0.1	1.0.1

Affected products

Matthewmueller/Dom Iterator
cpe:2.3:a:matthewmueller:dom-iterator:*:*:*:*:*:node.js:*:*
Range: <=1.0.0

Patches

9e0e0fad5a25

Fix for CVE-2024-21541

https://github.com/matthewmueller/dom-iteratorVladimir JankovićDec 17, 2024via ghsa

commit

1 file changed · +1 −1

index.js+1 −1 modified

@@ -267,7 +267,7 @@ Iterator.prototype.compile = function(expr) {
     case 'number':
       return function(node) { return expr == node.nodeType; };
     case 'string':
-      return new Function('node', 'return ' + props(expr, 'node.'));
+      return new Function('node', 'Object.freeze(node); return ' + props(expr, 'node.'));
     case 'function':
       return expr;
     default:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199nvdExploitThird Party AdvisoryWEB
github.com/advisories/GHSA-jrvm-mcxc-mf6mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-21541ghsaADVISORY
github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805nvdWEB
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000