DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H8R8-WCCR-V5F2: GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify

#security #cve #cybersecurity #ghsa

GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify

Vulnerability ID: GHSA-H8R8-WCCR-V5F2
CVSS Score: 6.5
Published: 2026-03-27

DOMPurify versions prior to 3.3.2 are susceptible to a Mutation Cross-Site Scripting (mXSS) vulnerability. The flaw occurs due to discrepancies in browser parsing contexts when handling specific raw-text or RCDATA elements, allowing attackers to bypass sanitization.

TL;DR

DOMPurify < 3.3.2 fails to properly neutralize specific raw-text elements like <noscript>. Attackers can inject payloads that bypass initial sanitization but mutate into executable JavaScript when re-inserted into the DOM.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Mutation Cross-Site Scripting (mXSS)
  • CWE ID: CWE-79
  • CVSS v3.1 Score: 6.5 Medium
  • Attack Vector: Network
  • User Interaction: None
  • Exploit Status: Proof of Concept Available
  • Affected Component: Raw Text/RCDATA Parser Constraints

Affected Systems

  • DOMPurify (NPM Package)
  • Client-side web applications utilizing DOMPurify < 3.3.2
  • dompurify: < 3.3.2 (Fixed in: 3.3.2)

Exploit Details

  • Advisory PoC: Proof of concept demonstrating <noscript> mutation via innerHTML assignment.

Mitigation Strategies

  • Upgrade DOMPurify to version 3.3.2 or higher
  • Implement strict Content Security Policy (CSP) rules restricting unsafe-inline scripts
  • Avoid re-parsing sanitized content in differing browser contexts
  • Audit dependency trees for transitive inclusions of vulnerable DOMPurify builds

Remediation Steps:

  1. Identify all projects utilizing the DOMPurify NPM package.
  2. Execute dependency updates to force installation of DOMPurify >= 3.3.2.
  3. Validate the fix by executing test suites against known mXSS payloads.
  4. Deploy the updated application builds to production environments.

References

Read the full report for GHSA-H8R8-WCCR-V5F2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)