DOMPurify allows Cross-site Scripting (XSS)

Description

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.2.4
• Patched version(s): 3.2.4

References

• GHSA-vhxf-7vqr-mrjg
• ensy.zip
• nsysean.github.io
• CVE-2025-26791
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
• Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
• tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
• jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

dompurify