GHSA-cj63-jhhr-wcxv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cj63-jhhr-wcxv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cj63-jhhr-wcxv/GHSA-cj63-jhhr-wcxv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cj63-jhhr-wcxv
- Downstream
- Related
- Published
- 2026-04-03T03:45:08Z
- Modified
- 2026-04-07T18:44:12.020335902Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- DOMPurify USE_PROFILES prototype pollution allows event handlers
- Details
-
Summary
When
USE_PROFILESis enabled, DOMPurify rebuildsALLOWED_ATTRas a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes viaALLOWED_ATTR[lcName], anyArray.prototypeproperty that is polluted also counts as an allowlisted attribute. An attacker who can setArray.prototype.onclick = true(or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such asonclickeven when they are normally forbidden. The provided PoC sanitizes<img onclick=...>withUSE_PROFILESand adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.
Credits
Identified by Cantina’s Apex (https://www.cantina.security).
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-03T03:45:08Z", "cwe_ids": [ "CWE-1321" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / dompurify
Package
- Name
- dompurify
- View open source insights on deps.dev
- Purl
- pkg:npm/dompurify