Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
DOMPurify's attribute check can be bypassed allowing XSS
GHSA-cjmm-f4jc-qw8r
Summary
An attacker can exploit a weakness in the way DOMPurify handles attribute checks to inject malicious code into web pages. This could allow an attacker to execute code on your website if users click on a link. To fix this, update to the latest version of DOMPurify.
What to do
- Update dompurify to version 3.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | dompurify | <= 3.3.1 | 3.3.2 |
Original title
DOMPurify ADD_ATTR predicate skips URI validation
Original description
## Summary
DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href="javascript:alert(document.domain)">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass.
## Impact
Predicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS.
## Credits
Identified by Cantina’s Apex (https://www.cantina.security).
DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href="javascript:alert(document.domain)">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass.
## Impact
Predicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS.
## Credits
Identified by Cantina’s Apex (https://www.cantina.security).
ghsa CVSS4.0
5.3
Vulnerability type
CWE-183
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026