GHSA-39q2-94rc-95cp
logic error vulnerability in dompurify (npm)

logic error No known exploit

What is GHSA-39q2-94rc-95cp About?

This is a logic error vulnerability in `DOMPurify` that causes `FORBID_TAGS` to be bypassed by `ADD_TAGS` when provided as a function. This inconsistency allows forbidden tags to be unexpectedly permitted in the sanitized output, potentially leading to injection vulnerabilities. Exploitation depends on specific configuration, but it can be easily triggered by supplying a forbidden tag that is also covered by a functional `ADD_TAGS` rule.

Affected Software

dompurify <3.4.0

Technical Details

The vulnerability specifically exists in dompurify version 3.3.3 within the src/purify.ts file (lines 1117-1123). It is a logic error related to the order of operations when ADD_TAGS is used as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) and FORBID_TAGS is also configured. The condition !(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) is flawed due to short-circuit evaluation. If tagCheck(tagName) returns true (meaning the tag is allowed by a function in ADD_TAGS), the entire condition becomes false, causing FORBID_TAGS[tagName] to never be evaluated. This allows a tag that should be explicitly forbidden to pass through the sanitization process if it's also permitted by a functional ADD_TAGS rule. This contrasts with the attribute-side pattern where FORBID_ATTR explicitly takes precedence.

What is the Impact of GHSA-39q2-94rc-95cp?

Successful exploitation may allow attackers to inject forbidden HTML tags into the sanitized output, potentially leading to Cross-Site Scripting (XSS) or other content injection attacks.

What is the Exploitability of GHSA-39q2-94rc-95cp?

Exploitation complexity is low to medium, depending on the application's DOMPurify configuration. It requires the application to simultaneously use ADD_TAGS as a function and FORBID_TAGS in a way that creates the conflict. No authentication or special privileges are required. This is a local execution vulnerability, as it affects the client-side sanitization logic. The attacker needs to supply carefully crafted input containing tags that are both forbidden by FORBID_TAGS and allowed by the tagCheck function. The risk is primarily configuration-dependent, but once the condition is met, exploitation is straightforward, increasing the likelihood of successful content injection.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-39q2-94rc-95cp?

Available Upgrade Options

  • dompurify
    • <3.4.0 → Upgrade to 3.4.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-39q2-94rc-95cp?

Similar Vulnerabilities: CVE-2021-3803 , CVE-2023-26159 , CVE-2016-9273 , CVE-2021-39130 , CVE-2022-25925

All Rights reserved 2025
Privacy Policy