Permissive List of Allowed Inputs Affecting dompurify package, versions <3.3.2

Q: How to fix?

Upgrade dompurify to version 3.3.2 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-DOMPURIFY-15874905
published3 Apr 2026
disclosed3 Apr 2026
creditchristos-eth

Report a new vulnerability Found a mistake?

Introduced: 3 Apr 2026

NewCWE-183 (opens in a new tab)

How to fix?

Upgrade dompurify to version 3.3.2 or higher.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADD_ATTR predicate function via EXTRA_ELEMENT_HANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM by bypassing URI validation for specific attribute and tag combinations, such as allowing href attributes with unsafe protocols like javascript:.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None