Fluid Attacks Database

Description

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize() with the default configuration (no CUSTOM_ELEMENT_HANDLING option), a prior prototype pollution gadget can inject permissive tagNameCheck and attributeNameCheck regex values into Object.prototype, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-dompurify	=3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| >=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
npm	dompurify	>=3.0.1 <3.4.0	3.4.0
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| =2.4.1+dfsg+~2.4.0-2 \|\| =2.4.1+dfsg+~2.4.0-2+deb12u1 \|\| =3.0.9+dfsg+~3.0.5-1 \|\| =3.1.6+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| =3.4.1+dfsg-1	-
debian 13	node-dompurify	=3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| =3.4.1+dfsg-1	-
rpm rhel10	grafana	-	-
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-

Aliases

1. CVE-2026-412382. NVD-2026-412383. OSV-DEBIAN-2026-412384. OSV-2026-412385. GHSA-v9jr-rg53-9pgp6. GCVE-2026-412387. SECURITY-TRACKER-CVE-2026-41238

References

1. https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp2. https://github.com/cure53/DOMPurify/releases/tag/3.4.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.