DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Description

DOMPurify versions 3.0.1 through 3.3.3 (latest) are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize() with the default configuration (no CUSTOM_ELEMENT_HANDLING option), a prior prototype pollution gadget can inject permissive tagNameCheck and attributeNameCheck regex values into Object.prototype, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization.

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

• Affected version(s): >= 3.0.1, < 3.4.0
• Patched version(s): 3.4.0

References

• GHSA-v9jr-rg53-9pgp
• CVE-2026-41238
• CWE-1321
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
• Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Tags:

npm

dompurify