DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CJ63-JHHR-WCXV: GHSA-cj63-jhhr-wcxv: Prototype Pollution to XSS Bypass in DOMPurify USE_PROFILES

#security #cve #cybersecurity #ghsa

GHSA-cj63-jhhr-wcxv: Prototype Pollution to XSS Bypass in DOMPurify USE_PROFILES

Vulnerability ID: GHSA-CJ63-JHHR-WCXV
CVSS Score: 5.3
Published: 2026-04-03

A prototype pollution vulnerability in DOMPurify allows attackers to bypass the HTML sanitizer's attribute allowlist when the USE_PROFILES configuration is enabled. This results in DOM-based Cross-Site Scripting (XSS) via injected event handlers.

TL;DR

DOMPurify versions prior to 3.3.2 improperly initialize the ALLOWED_ATTR array when USE_PROFILES is configured. By polluting Array.prototype, attackers can force the sanitizer to accept malicious HTML attributes like 'onclick', leading to cross-site scripting.

⚠️ Exploit Status: POC

Technical Details

  • GHSA ID: GHSA-cj63-jhhr-wcxv
  • CVSS v4.0 Score: 5.3 (Medium)
  • CWE ID: CWE-1321 (Prototype Pollution), CWE-79 (XSS)
  • Attack Vector: Network
  • Exploit Status: Proof of Concept (PoC) Available
  • Patched Version: 3.3.2

Affected Systems

  • DOMPurify (npm package)
  • Applications utilizing DOMPurify with the USE_PROFILES configuration enabled
  • dompurify: < 3.3.2 (Fixed in: 3.3.2)

Exploit Details

  • Research Context: Proof of concept demonstrating Array.prototype pollution leading to 'onclick' validation bypass.

Mitigation Strategies

  • Upgrade the DOMPurify library to version 3.3.2 or newer to obtain the permanent fix.
  • Disable the USE_PROFILES configuration flag in DOMPurify calls if immediate patching is impossible.
  • Implement global Object and Array prototype freezing to eliminate the prerequisite vulnerability vector.
  • Deploy a restrictive Content Security Policy (CSP) blocking inline event handlers to prevent XSS payload execution.

Remediation Steps:

  1. Audit the application dependency tree to identify all instances of dompurify prior to 3.3.2.
  2. Update dompurify in the package manager (e.g., npm install dompurify@latest).
  3. Search the application codebase for occurrences of USE_PROFILES within DOMPurify configuration objects.
  4. Execute automated XSS test suites against areas utilizing DOMPurify to verify the patch implementation.

References

Read the full report for GHSA-CJ63-JHHR-WCXV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)