VulnerableCode Package Details - pkg:npm/dompurify@3.3.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-4a9k-89d3-8yes Aliases: GHSA-cjmm-f4jc-qw8r	DOMPurify ADD_ATTR predicate skips URI validation ## Summary DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href="javascript:alert(document.domain)">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass. ## Impact Predicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS. ## Credits Identified by Cantina’s Apex (https://www.cantina.security).	3.3.2 Affected by 0 other vulnerabilities.
VCID-d7qb-cwzz-3yh6 Aliases: GHSA-cj63-jhhr-wcxv	DOMPurify USE_PROFILES prototype pollution allows event handlers ## Summary When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector. ## Impact Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered. ## Credits Identified by Cantina’s Apex (https://www.cantina.security).	3.3.2 Affected by 0 other vulnerabilities.
VCID-ps3s-bymy-dkbc Aliases: CVE-2026-0540 GHSA-v2wj-7wpq-c8vv	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	3.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4a9k-89d3-8yes
Aliases:
GHSA-cjmm-f4jc-qw8r

DOMPurify ADD_ATTR predicate skips URI validation ## Summary DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href="javascript:alert(document.domain)">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass. ## Impact Predicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS. ## Credits Identified by Cantina’s Apex (https://www.cantina.security).

3.3.2
Affected by 0 other vulnerabilities.

VCID-d7qb-cwzz-3yh6
Aliases:
GHSA-cj63-jhhr-wcxv

DOMPurify USE_PROFILES prototype pollution allows event handlers ## Summary When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector. ## Impact Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered. ## Credits Identified by Cantina’s Apex (https://www.cantina.security).

3.3.2
Affected by 0 other vulnerabilities.

VCID-ps3s-bymy-dkbc
Aliases:
CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

3.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:29:23.449164+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.4.0
2026-04-12T01:54:06.048911+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.3.0
2026-04-05T04:21:39.769836+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.1.0
2026-04-04T14:32:52.958298+00:00	GHSA Importer	Affected by	VCID-4a9k-89d3-8yes	https://github.com/advisories/GHSA-cjmm-f4jc-qw8r	38.1.0
2026-04-04T14:32:52.927310+00:00	GHSA Importer	Affected by	VCID-d7qb-cwzz-3yh6	https://github.com/advisories/GHSA-cj63-jhhr-wcxv	38.1.0
2026-04-01T16:08:19.391363+00:00	GHSA Importer	Affected by	VCID-ps3s-bymy-dkbc	https://github.com/advisories/GHSA-v2wj-7wpq-c8vv	38.0.0