GHSA-CJMM-F4JC-QW8R: GHSA-CJMM-F4JC-QW8R: DOM-based XSS Bypass in DOMPurify via ADD_ATTR Predicate

#security #cve #cybersecurity #ghsa

GHSA-CJMM-F4JC-QW8R: DOM-based XSS Bypass in DOMPurify via ADD_ATTR Predicate

Vulnerability ID: GHSA-CJMM-F4JC-QW8R
CVSS Score: 5.3
Published: 2026-04-03

DOMPurify versions prior to 3.3.2 contain a vulnerability where the ADD_ATTR predicate function short-circuits internal validation logic. This allows dynamically approved attributes to bypass URI-safe sanitization, potentially leading to DOM-based Cross-Site Scripting (XSS) via dangerous protocols like javascript: or data:.

TL;DR

DOMPurify < 3.3.2 skips URI validation for attributes approved via the ADD_ATTR predicate function, allowing DOM-based XSS via malicious protocols.

⚠️ Exploit Status: POC

Technical Details

CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Attack Vector: Network
CVSS Score: 5.3 (Medium)
Impact: High Confidentiality, High Integrity (Session context)
Exploit Status: Proof of Concept (PoC) available
User Interaction: Required

Affected Systems

dompurify (npm package)
dompurify: < 3.3.2 (Fixed in: 3.3.2)

Mitigation Strategies

Upgrade the dompurify library to the patched version.
Implement strict manual value validation within any ADD_ATTR predicate function.

Remediation Steps:

Identify all projects utilizing the dompurify npm package.
Execute npm audit or yarn audit to detect vulnerable versions (< 3.3.2).
Update package.json to require dompurify version 3.3.2 or higher.
Run npm install or yarn install to fetch the updated package.
Review source code for instances of DOMPurify.sanitize utilizing ADD_ATTR as a function.
Ensure any predicate functions used do not blindly approve attributes without considering the safety of their potential values.

References

Read the full report for GHSA-CJMM-F4JC-QW8R on our website for more details including interactive diagrams and full exploit analysis.

DEV Community