Description
A mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers. The vulnerable wrappers confirmed in browser behavior are script, xmp, iframe, noembed, noframes, and noscript. The payload remains seemingly benign after DOMPurify.sanitize(), but mutates during the second parse into executable markup with an event handler, enabling JavaScript execution in the client (alert(1) in the PoC).
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.2
- Patched version(s): 3.3.2
References
Related Issues
- Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) - Vulnerability
- @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Ori - Vulnerability
- Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) - Vulnerability
- Svelte: SSR XSS via Insecure Promise Serialization in hydratable - Vulnerability
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on May 07, 2026