Search for packages
| purl | pkg:npm/dompurify@2.0.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9517-d2c6-9fhx
Aliases: GHSA-mjjq-c88q-qhr6 GMS-2020-711 |
Cross-Site Scripting in dompurify Versions of `dompurify` prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser. ## Recommendation Upgrade to version 2.0.7 or later. |
Affected by 5 other vulnerabilities. |
|
VCID-gmsu-xfke-47bg
Aliases: CVE-2024-45801 GHSA-mmhx-hmjr-r674 |
DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch). |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-mebp-4rfu-vqcq
Aliases: CVE-2024-47875 GHSA-gx9m-whjm-85jf |
DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098) |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-prz4-pcsj-gfh2
Aliases: CVE-2020-26870 GHSA-63q7-h895-m982 |
Cross-site Scripting in dompurify Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. |
Affected by 4 other vulnerabilities. |
|
VCID-vbs9-gben-9kgc
Aliases: CVE-2024-48910 GHSA-p3vf-v8qc-cwcr |
DOMPurify vulnerable to tampering by prototype polution dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc |
Affected by 3 other vulnerabilities. |
|
VCID-vzq7-t235-ukd5
Aliases: CVE-2025-26791 GHSA-vhxf-7vqr-mrjg |
DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS). |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||