org.webjars.npm:dompurify 3.4.8

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:dompurify package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Initialization org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Improper Initialization in the `DOMPurify.setConfig()` API when an `uponSanitizeAttribute` hook is registered that mutates `allowedAttributes`. An attacker can cause persistent modification of the attribute allowlist by submitting specially crafted content, resulting in unauthorized attributes being permitted in all subsequent sanitization calls. How to fix Improper Initialization? Upgrade `org.webjars.npm:dompurify` to version 3.4.11 or higher.	[,3.4.11)
L Protection Mechanism Failure org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Protection Mechanism Failure through the `clearConfig` function. An attacker can execute arbitrary scripts in a Trusted Types sink by influencing a previously supplied `TRUSTED_TYPES_POLICY` on a reused instance and later triggering output with `RETURN_TRUSTED_TYPE: true`. Note: This is only exploitable if a DOMPurify instance is reused across trust boundaries and a less-trusted integration or attacker has previously set an unsafe Trusted Types policy. How to fix Protection Mechanism Failure? Upgrade `org.webjars.npm:dompurify` to version 3.4.9 or higher.	[,3.4.9)

Vulnerability

Vulnerable Version

Improper Initialization

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Improper Initialization in the DOMPurify.setConfig() API when an uponSanitizeAttribute hook is registered that mutates allowedAttributes. An attacker can cause persistent modification of the attribute allowlist by submitting specially crafted content, resulting in unauthorized attributes being permitted in all subsequent sanitization calls.

How to fix Improper Initialization?

Upgrade org.webjars.npm:dompurify to version 3.4.11 or higher.

[,3.4.11)

Protection Mechanism Failure

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Protection Mechanism Failure through the clearConfig function. An attacker can execute arbitrary scripts in a Trusted Types sink by influencing a previously supplied TRUSTED_TYPES_POLICY on a reused instance and later triggering output with RETURN_TRUSTED_TYPE: true.

Note:

This is only exploitable if a DOMPurify instance is reused across trust boundaries and a less-trusted integration or attacker has previously set an unsafe Trusted Types policy.

How to fix Protection Mechanism Failure?

Upgrade org.webjars.npm:dompurify to version 3.4.9 or higher.

[,3.4.9)

org.webjars.npm:dompurify@3.4.8

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically