AIKIDO-2026-10955
dompurify is vulnerable to Protection Mechanism Failure
61
Medium Risk
This Affects:
dompurifyTL;DR
When uponSanitizeElement or uponSanitizeAttribute hooks receive data.allowedTags or data.allowedAttributes, those fields are live references to the library's internal allow-lists. On default-config sanitize calls, those lists can alias module-level DEFAULT_ALLOWED_TAGS and DEFAULT_ALLOWED_ATTR, so a hook that widens them during one call permanently poisons defaults for the instance. Later attacker-controlled HTML sanitized without an explicit allow-list override can retain forbidden tags and attributes such as script or event handlers. The patch clones default allow-lists before hook processing when hooks are registered, matching the existing clone-before-mutate defense used for ADD_TAGS and ADD_ATTR.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
dompurify is vulnerable to Protection Mechanism Failure in versions 0.0.1 - 3.4.5.
How to fix this
Upgrade the dompurify library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant