DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

Description

There is an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used.

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.4.0
• Patched version(s): 3.4.0

References

• GHSA-h7mw-gpvr-xq4m
• CVE-2026-41240
• CWE-183
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - Vulnerability
• Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax - CVE-2026-42043
• DOMPurify ADD_ATTR predicate skips URI validation - Vulnerability
• CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

dompurify