Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
DOMPurify: Event Handlers Bypassed with Prototype Pollution
GHSA-cj63-jhhr-wcxv
Summary
DOMPurify, a library that cleans up user input, has a security issue that can allow hackers to inject malicious code into a website. This happens when a specific setting is enabled, allowing an attacker to bypass the security checks and run code on your website. To protect your website, update DOMPurify to the latest version.
What to do
- Update dompurify to version 3.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | dompurify | <= 3.3.1 | 3.3.2 |
Original title
DOMPurify USE_PROFILES prototype pollution allows event handlers
Original description
## Summary
When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.
## Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.
## Credits
Identified by Cantina’s Apex (https://www.cantina.security).
When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.
## Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.
## Credits
Identified by Cantina’s Apex (https://www.cantina.security).
ghsa CVSS4.0
5.3
Vulnerability type
CWE-1321
Prototype Pollution
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026