Source: node-dompurify
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for node-dompurify.
All fixed in 3.4.0
CVE-2026-41238[0]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a
| prototype pollution-based XSS bypass. When an application uses
| `DOMPurify.sanitize()` with the default configuration (no
| `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution
| gadget can inject permissive `tagNameCheck` and `attributeNameCheck`
| regex values into `Object.prototype`, causing DOMPurify to allow
| arbitrary custom elements with arbitrary attributes — including
| event handlers — through sanitization. Version 3.4.0 fixes the
| issue.
CVE-2026-41239[1]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Starting in version 1.0.10 and prior to version
| 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from
| untrusted HTML. This works in string mode but not with `RETURN_DOM`
| or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating
| frameworks like Vue 2. Version 3.4.0 patches the issue.
CVE-2026-41240[2]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Versions prior to 3.4.0 have an inconsistency
| between FORBID_TAGS and FORBID_ATTR handling when function-based
| ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR
| at line 1214. The same fix was not applied to FORBID_TAGS. At line
| 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the
| short-circuit evaluation skips the FORBID_TAGS check entirely. This
| allows forbidden elements to survive sanitization with their
| attributes intact. Version 3.4.0 patches the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41238
https://www.cve.org/CVERecord?id=CVE-2026-41238
[1] https://security-tracker.debian.org/tracker/CVE-2026-41239
https://www.cve.org/CVERecord?id=CVE-2026-41239
[2] https://security-tracker.debian.org/tracker/CVE-2026-41240
https://www.cve.org/CVERecord?id=CVE-2026-41240
Please adjust the affected versions in the BTS as needed.
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
