Description
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.4
- Patched version(s): 3.2.4
References
Related Issues
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on June 30, 2025