MEDIUM 4.5

GHSA-vhxf-7vqr-mrjg

DOMPurify allows Cross-site Scripting (XSS)

Details

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dompurify

Introduced in: 0 Fixed in: 3.2.4

Fix npm install dompurify@3.2.4

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26791 [ADVISORY]
https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02 [WEB]
https://ensy.zip/posts/dompurify-323-bypass [WEB]
https://github.com/cure53/DOMPurify [PACKAGE]
https://github.com/cure53/DOMPurify/releases/tag/3.2.4 [WEB]
https://nsysean.github.io/posts/dompurify-323-bypass [WEB]