Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-d7qb-cwzz-3yh6
Summary
DOMPurify USE_PROFILES prototype pollution allows event handlers
## Summary
When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.

## Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.

## Credits
Identified by Cantina’s Apex (https://www.cantina.security).
Aliases
0
alias GHSA-cj63-jhhr-wcxv
Fixed_packages
0
url pkg:npm/dompurify@3.3.2
purl pkg:npm/dompurify@3.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2
Affected_packages
0
url pkg:npm/dompurify@3.3.1
purl pkg:npm/dompurify@3.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4a9k-89d3-8yes
1
vulnerability VCID-d7qb-cwzz-3yh6
2
vulnerability VCID-ps3s-bymy-dkbc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.1
References
0
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
1
reference_url https://github.com/cure53/DOMPurify/releases/tag/3.3.2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/releases/tag/3.3.2
2
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv
3
reference_url https://github.com/advisories/GHSA-cj63-jhhr-wcxv
reference_id GHSA-cj63-jhhr-wcxv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cj63-jhhr-wcxv
Weaknesses
0
cwe_id 1321
name Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
description The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-d7qb-cwzz-3yh6