Your message dated Sat, 25 Apr 2026 14:48:59 +0000
with message-id <[email protected]>
and subject line Bug#1134892: fixed in node-dompurify 3.4.1+dfsg-1
has caused the Debian Bug report #1134892,
regarding node-dompurify: CVE-2026-41238 CVE-2026-41239 CVE-2026-41240
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134892
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-dompurify
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for node-dompurify.
All fixed in 3.4.0
CVE-2026-41238[0]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a
| prototype pollution-based XSS bypass. When an application uses
| `DOMPurify.sanitize()` with the default configuration (no
| `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution
| gadget can inject permissive `tagNameCheck` and `attributeNameCheck`
| regex values into `Object.prototype`, causing DOMPurify to allow
| arbitrary custom elements with arbitrary attributes — including
| event handlers — through sanitization. Version 3.4.0 fixes the
| issue.
CVE-2026-41239[1]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Starting in version 1.0.10 and prior to version
| 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from
| untrusted HTML. This works in string mode but not with `RETURN_DOM`
| or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating
| frameworks like Vue 2. Version 3.4.0 patches the issue.
CVE-2026-41240[2]:
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML,
| MathML, and SVG. Versions prior to 3.4.0 have an inconsistency
| between FORBID_TAGS and FORBID_ATTR handling when function-based
| ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR
| at line 1214. The same fix was not applied to FORBID_TAGS. At line
| 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the
| short-circuit evaluation skips the FORBID_TAGS check entirely. This
| allows forbidden elements to survive sanitization with their
| attributes intact. Version 3.4.0 patches the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41238
https://www.cve.org/CVERecord?id=CVE-2026-41238
[1] https://security-tracker.debian.org/tracker/CVE-2026-41239
https://www.cve.org/CVERecord?id=CVE-2026-41239
[2] https://security-tracker.debian.org/tracker/CVE-2026-41240
https://www.cve.org/CVERecord?id=CVE-2026-41240
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-dompurify
Source-Version: 3.4.1+dfsg-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-dompurify, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-dompurify package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Apr 2026 15:50:28 +0200
Source: node-dompurify
Architecture: source
Version: 3.4.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1134892
Changes:
node-dompurify (3.4.1+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 3.4.1+dfsg
(Closes: #1134892, CVE-2026-41238 CVE-2026-41239 CVE-2026-41240)
* Drop rollup patch
Checksums-Sha1:
869051f9737cfbce4483cd25e7d128d882202bc4 2290 node-dompurify_3.4.1+dfsg-1.dsc
4965c85c2e1c729eb3a83046819cd15f1dca63d6 128304
node-dompurify_3.4.1+dfsg.orig.tar.xz
a63ec9f0d6c9b74333e3a1bf35f923f8bccd3923 36024
node-dompurify_3.4.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
863e0a90fe2234214f74b220ddf76e959f3fae221a212ba2a971c2456b26d7fd 2290
node-dompurify_3.4.1+dfsg-1.dsc
4cf27032499c681126d3596da0a9604f5d4c0390d9b8c0c276cec4ba9a01287a 128304
node-dompurify_3.4.1+dfsg.orig.tar.xz
8b70b645e3ab808b2d0a600bd6d8aac1c6fb49b46621970f2416dfe30693e761 36024
node-dompurify_3.4.1+dfsg-1.debian.tar.xz
Files:
9efd53c16e076609b840dad7f3a778c6 2290 javascript optional
node-dompurify_3.4.1+dfsg-1.dsc
245a44ed6e178a3f621b0c64d089c405 128304 javascript optional
node-dompurify_3.4.1+dfsg.orig.tar.xz
619f5a656143790f11b9ae3e1325ba98 36024 javascript optional
node-dompurify_3.4.1+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnsxy4ACgkQ9tdMp8mZ
7ukU9w//RpeYNfmOFPw5LfHEBTSrXOjXgSiYSMppQaA6Q065aAKFacRwbklUYvbC
4qXdozTKaFXkv8UvRlLMdA/ibHU3LUDKrCF+xl0D1Jw+vNUdSuxipYQMuBcUhtgr
sMfvet7nXYa3+FhRuY0L3ESAz/uE/rl36+3ED0GCUVqBy8JasBiRjQfE6/GiOO7c
+ULRpw5rL9B+hjH9Dm7v0WEXmc59dq4eC7LKjAWn6VEr0Lj9RHBbrwGWvw88UqpC
EVokuIfxf3fmuDHCRLpIvjxqaAf2XReIgCSa6oEEPAHO5hUTO7nyAcYILOZChw7l
/qTrr6Htt5oj30EG94YGYzt1yHxjvTsya4VX1l/rOCf5WVThmPVxgtrhUVgzls+6
1mguXoBimW/9U9lKeqmffRVOZt0NIBsf1rb5NoENvSbJISQuxgJXDI98Yc5UgdX6
S590mvsm0ly9grky9aBjtEbcKeguHGfc5Hi8qqgtcHnTsWo468TnvOzL3JibutZo
hc14z+HNyKRjBRyPRO6zPx0VyaQbWNwH3FnpCEDEuL9RNdvYO5Xo5kfl79aycf0A
3/cpYYc7a+eNppEgqVtaAp6n1kpxQiLfwOnpyAqScGYqe5VfDd1kfDWoVx1P9lQW
M2slxKeOSpxxNLszxHMsNDu+G3HzmRF9ynFbVM8mhA8BdGmMENQ=
=0g79
-----END PGP SIGNATURE-----
pgp7stmctMTYe.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
