Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-4a9k-89d3-8yes |
|---|
| Summary | DOMPurify ADD_ATTR predicate skips URI validation
## Summary
DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href="javascript:alert(document.domain)">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass.
## Impact
Predicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS.
## Credits
Identified by Cantina’s Apex (https://www.cantina.security). |
|---|
| Aliases |
| 0 |
| alias |
GHSA-cjmm-f4jc-qw8r |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
183 |
| name |
Permissive List of Allowed Inputs |
| description |
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 4.0 - 6.9 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 6.2 |
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-4a9k-89d3-8yes |
|---|