Description
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWED_ATTR[lcName], any Array.prototype property that is polluted also counts as an allowlisted attribute. An attacker who can set Array.prototype.onclick = true (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as onclick even when they are normally forbidden.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.3.1
- Patched version(s): 3.3.2
References
Related Issues
- Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify - Vulnerability
- DOMPurify allows tampering by prototype pollution - CVE-2024-45801
- Prototype Pollution in lodash.mergewith - lodash.mergewith - Vulnerability
- Prototype Pollution in lodash.merge - lodash.merge - Vulnerability
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on April 03, 2026