Skip to content

Update dependency dompurify to v3 [SECURITY]#43

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-dompurify-vulnerability
Open

Update dependency dompurify to v3 [SECURITY]#43
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-dompurify-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Sep 16, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
dompurify 2.3.83.2.4 age confidence

DOMPurify allows tampering by prototype pollution

CVE-2024-45801 / GHSA-mmhx-hmjr-r674

More information

Details

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by cure53/DOMPurify@1e52026 (3.x branch) and cure53/DOMPurify@26e1d69 (2.x branch).

Severity

  • CVSS Score: 8.3 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

DOMpurify has a nesting-based mXSS

CVE-2024-47875 / GHSA-gx9m-whjm-85jf

More information

Details

DOMpurify was vulnerable to nesting-based mXSS

fixed by 0ef5e537 (2.x) and
merge 943

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

Severity

  • CVSS Score: 7.9 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

DOMPurify vulnerable to tampering by prototype polution

CVE-2024-48910 / GHSA-p3vf-v8qc-cwcr

More information

Details

dompurify was vulnerable to prototype pollution

Fixed by cure53/DOMPurify@d1dd037

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

DOMPurify allows Cross-site Scripting (XSS)

CVE-2025-26791 / GHSA-vhxf-7vqr-mrjg

More information

Details

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

Severity

  • CVSS Score: 4.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

  • Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
  • Added a new feature to allow specific hook removal, thanks @​davecardwell
  • Added purify.js and purify.min.js to exports, thanks @​Aetherinox
  • Added better logic in case no window object is president, thanks @​yehuya
  • Updated some dependencies called out by dependabot
  • Updated license files etc to show the correct year

v3.2.3: DOMPurify 3.2.3

Compare Source

v3.2.2: DOMPurify 3.2.2

Compare Source

  • Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
  • Fixed several minor issues with the type definitions, thanks again @​reduckted
  • Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
  • Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

v3.2.1: DOMPurify 3.2.1

Compare Source

v3.2.0: DOMPurify 3.2.0

Compare Source

v3.1.7: DOMPurify 3.1.7

Compare Source

  • Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
  • Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
  • Added better support for Angular compiler, thanks @​jeroen1602
  • Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
  • Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
  • Bumped several dependencies to be more up to date

v3.1.6: DOMPurify 3.1.6

Compare Source

  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
  • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
  • Updated several development dependencies

v3.1.5: DOMPurify 3.1.5

Compare Source

  • Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v3.1.4: DOMPurify 3.1.4

Compare Source

  • Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
  • Added several new popover attributes to allow-list, thanks @​Gigabyte5671
  • Fixed the tests and adjusted the test runner to cover all branches

v3.1.3: DOMPurify 3.1.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Added better handling and readability of the nodeType property, thanks @​ssi02014
  • Fixed some smaller issues in README and other documentation

v3.1.2: DOMPurify 3.1.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v3.1.1: DOMPurify 3.1.1

Compare Source

  • Fixed an mXSS sanitiser bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v3.1.0: DOMPurify 3.1.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v3.0.11: DOMPurify 3.0.11

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v3.0.10: DOMPurify 3.0.10

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser
  • Bumped up some build and test dependencies

v3.0.9: DOMPurify 3.0.9

Compare Source

  • Fixed a problem with proper detection of Custom Elements, thanks @​kevin-mizu
  • Refactored the hasOwnProperty logic, thanks @​ssi02014
  • Removed a superfluous console.warn making HappyDom happier, thanks @​HugoPoi
  • Modernized some of the demo hooks for better looks, thanks @​Steb95

v3.0.8: DOMPurify 3.0.8

Compare Source

  • Fixed errors caused by conditional exports, thanks @​ssi02014
  • Fixed a type error when working with custom element config, thanks @​cpmotion

v3.0.7: DOMPurify 3.0.7

Compare Source

  • Added better protection against CSPP attacks, thanks @​kevin-mizu
  • Updated browser versions for automated tests
  • Updated Node versions for automated tests
  • Refactored code base, thanks @​ssi02014
  • Refactored build system & deployment, thanks @​ssi02014

v3.0.6: DOMPurify 3.0.6

Compare Source

  • Refactored the core code-base and several utilities, thanks @​ssi02014
  • Updated and fixed several sections of the README, thanks @​ssi02014
  • Updated several outdated build and test dependencies

v3.0.5: DOMPurify 3.0.5

Compare Source

  • Fixed a licensing issue spotted and reported by @​george-thomas-hill
  • Updated several build and test dependencies

v3.0.4: DOMPurify 3.0.4

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN
  • Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @​masatokinugawa

v3.0.3: DOMPurify 3.0.3

Compare Source

  • Added new TRUSTED_TYPES_POLICY configuration option, thanks @​dejang
  • Added feDropShadow to the SVG filter allow-list, thanks @​SelfMadeSystem

v3.0.2: DOMPurify 3.0.2

Compare Source

  • Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @​mukilane
  • Added mprescripts tag to allowed MathML elements, thanks @​duyhai94
  • Added SMS URI scheme to allowed URI schemes, tanks @​Kiwka
  • Updated supported browser versions for nicer code and smaller size, thanks @​buzinas

v3.0.1: DOMPurify 3.0.1

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v3.0.0: DOMPurify 3.0.0

Compare Source

  • Removed all code that is for MSIE-only
  • Removed all tests that are for MSIE-only
  • Modified documentation to reflect new state of MSIE support
  • Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
  • Added better support for shadowrootmode, thanks @​mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

v2.5.9: DOMPurify 2.5.9

Compare Source

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing

v2.5.8: DOMPurify 2.5.8

Compare Source

v2.5.7: DOMPurify 2.5.7

Compare Source

  • Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
  • Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

v2.5.6: DOMPurify 2.5.6

Compare Source

  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Updated several development dependencies

v2.5.5: DOMPurify 2.5.5

Compare Source

  • Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v2.5.4: DOMPurify 2.5.4

Compare Source

  • Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
  • Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

  • Fixed an mXSS sanitizer bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

v2.4.6: DOMPurify 2.4.6

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

v2.4.3: DOMPurify 2.4.3

Compare Source

  • Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

  • Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
  • Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

v2.4.0: DOMPurify 2.4.0

Compare Source

  • Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

v2.3.11: DOMPurify 2.3.11

Compare Source

  • Added generated type definitions for better compatibility
  • Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
  • Updated README and config documentation, thanks @​0xedward
  • Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

  • Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

  • Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
  • Bumped some dependencies, thanks @​is2ei
  • Included github-actions in the dependabot config, thanks @​nathannaveen

Configuration

📅 Schedule: (in timezone Europe/Oslo)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Sep 16, 2024
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 8a112e8 to 541d769 Compare February 14, 2025 20:31
@renovate renovate Bot changed the title Update dependency dompurify to v2.5.4 [SECURITY] Update dependency dompurify to v3 [SECURITY] Feb 14, 2025
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 541d769 to 6ab3e0d Compare October 10, 2025 14:07
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 6ab3e0d to 81002db Compare October 21, 2025 19:56
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 81002db to 1b7559b Compare November 10, 2025 21:42
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 1b7559b to 25f4088 Compare November 18, 2025 13:35
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 25f4088 to bd7f28a Compare December 3, 2025 16:16
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from bd7f28a to c72af0b Compare December 31, 2025 18:35
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from c72af0b to 59476c1 Compare January 8, 2026 21:11
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 59476c1 to cef6421 Compare January 19, 2026 20:32
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from cef6421 to c4ff104 Compare February 2, 2026 15:40
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 69fa4ac to 12286a8 Compare February 17, 2026 17:44
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from 12286a8 to a0ad213 Compare March 5, 2026 16:40
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from a0ad213 to e6eafd6 Compare March 13, 2026 12:35
@renovate renovate Bot changed the title Update dependency dompurify to v3 [SECURITY] Update dependency dompurify to v3 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-dompurify-vulnerability branch March 27, 2026 02:42
@renovate renovate Bot changed the title Update dependency dompurify to v3 [SECURITY] - autoclosed Update dependency dompurify to v3 [SECURITY] Mar 28, 2026
@renovate renovate Bot reopened this Mar 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch 4 times, most recently from 5994aad to ff4cc11 Compare April 1, 2026 15:49
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from ff4cc11 to 210bdd2 Compare April 8, 2026 15:56
@renovate renovate Bot changed the title Update dependency dompurify to v3 [SECURITY] Update dependency dompurify to v3 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency dompurify to v3 [SECURITY] - autoclosed Update dependency dompurify to v3 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch 3 times, most recently from fa33b8c to df6f69a Compare April 29, 2026 17:52
@renovate
Update dependency dompurify to v3 [SECURITY]
cdbab4e 
Dependency update (patch) :)
@renovate renovate Bot force-pushed the renovate/npm-dompurify-vulnerability branch from df6f69a to cdbab4e Compare May 12, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants