DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize() with the default configuration (no CUSTOM_ELEMENT_HANDLING option), a prior prototype pollution gadget can inject permissive tagNameCheck and attributeNameCheck regex values into Object.prototype, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.
Exploitability
AV:NAC:HPR:NUI:RScope
S:CImpact
C:HI:LA:N6.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:NInjection
Input Validation