VulnerableCode Package Details - pkg:npm/dompurify@3.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-gmsu-xfke-47bg Aliases: CVE-2024-45801 GHSA-mmhx-hmjr-r674	DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).	3.1.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mebp-4rfu-vqcq Aliases: CVE-2024-47875 GHSA-gx9m-whjm-85jf	DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)	3.1.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vzq7-t235-ukd5 Aliases: CVE-2025-26791 GHSA-vhxf-7vqr-mrjg	DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).	3.2.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-gmsu-xfke-47bg
Aliases:
CVE-2024-45801
GHSA-mmhx-hmjr-r674

DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

3.1.3
Affected by 3 other vulnerabilities.

VCID-mebp-4rfu-vqcq
Aliases:
CVE-2024-47875
GHSA-gx9m-whjm-85jf

DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

3.1.3
Affected by 3 other vulnerabilities.

VCID-vzq7-t235-ukd5
Aliases:
CVE-2025-26791
GHSA-vhxf-7vqr-mrjg

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

3.2.4
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mv6v-re2k-g3gn	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	CVE-2025-15599 GHSA-v8jm-5vwx-cfxm
VCID-ps3s-bymy-dkbc	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	CVE-2026-0540 GHSA-v2wj-7wpq-c8vv

Vulnerability

Summary

Aliases

VCID-mv6v-re2k-g3gn

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

VCID-ps3s-bymy-dkbc

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:29:43.249609+00:00	GitLab Importer	Fixing	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.4.0
2026-04-17T00:29:23.385007+00:00	GitLab Importer	Fixing	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.4.0
2026-04-16T23:21:03.579157+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.4.0
2026-04-16T23:11:28.795073+00:00	GitLab Importer	Affected by	VCID-mebp-4rfu-vqcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-47875.yml	38.4.0
2026-04-16T23:08:03.025607+00:00	GitLab Importer	Affected by	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.4.0
2026-04-12T01:54:26.073614+00:00	GitLab Importer	Fixing	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.3.0
2026-04-12T01:54:05.969598+00:00	GitLab Importer	Fixing	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.3.0
2026-04-12T00:40:04.458570+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.3.0
2026-04-12T00:29:51.703582+00:00	GitLab Importer	Affected by	VCID-mebp-4rfu-vqcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-47875.yml	38.3.0
2026-04-12T00:26:12.519447+00:00	GitLab Importer	Affected by	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.3.0
2026-04-05T04:21:57.871127+00:00	GitLab Importer	Fixing	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.1.0
2026-04-05T04:21:39.693885+00:00	GitLab Importer	Fixing	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.1.0
2026-04-03T00:48:00.132675+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.1.0
2026-04-03T00:37:31.754574+00:00	GitLab Importer	Affected by	VCID-mebp-4rfu-vqcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-47875.yml	38.1.0
2026-04-03T00:33:51.427477+00:00	GitLab Importer	Affected by	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.1.0
2026-04-02T12:40:13.916949+00:00	GitLab Importer	Affected by	VCID-mebp-4rfu-vqcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-47875.yml	38.0.0
2026-04-02T12:40:02.267287+00:00	GitLab Importer	Affected by	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.0.0
2026-04-01T16:06:40.053617+00:00	GHSA Importer	Affected by	VCID-mebp-4rfu-vqcq	https://github.com/advisories/GHSA-gx9m-whjm-85jf	38.0.0
2026-04-01T16:06:24.677056+00:00	GHSA Importer	Affected by	VCID-gmsu-xfke-47bg	https://github.com/advisories/GHSA-mmhx-hmjr-r674	38.0.0