[From nobody Sat Apr 25 15:51:10 2026 Received: (at submit) by bugs.debian.org; 25 Apr 2026 12:14:02 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=4.0 tests=BAYES_00, FOURLA, SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 54; hammy, 150; neutral, 77; spammy, 0. spammytokens: hammytokens:0.000-+--UD:security-tracker.debian.org, 0.000-+--securitytrackerdebianorg, 0.000-+--security-tracker.debian.org, 0.000-+--H*r:jmm, 0.000-+--sk:teamse Return-path: <jmm@inutil.org> Received: from inutil.org ([51.38.114.215]:35670 helo=vps-b7ad3695.vps.ovh.net) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <jmm@inutil.org>) id 1wGbtY-000Zt4-3D for submit@bugs.debian.org; Sat, 25 Apr 2026 12:14:02 +0000 Received: from soju.westfalen.local (p548dc5fc.dip0.t-ipconnect.de [84.141.197.252]) by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id DA52E1F7 for <submit@bugs.debian.org>; Sat, 25 Apr 2026 12:13:58 +0000 (UTC) Received: from jmm by soju.westfalen.local with local (Exim 4.99.1) (envelope-from <jmm@soju.westfalen.local>) id 1wGbs6-00000003ZMN-0ISF for submit@bugs.debian.org; Sat, 25 Apr 2026 14:12:30 +0200 Date: Sat, 25 Apr 2026 14:12:30 +0200 To: submit@bugs.debian.org Subject: node-dompurify: CVE-2026-41238 CVE-2026-41239 CVE-2026-41240 Message-ID: <aeyvrnH40D8qnRev@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: node-dompurify X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for node-dompurify. All fixed in 3.4.0 CVE-2026-41238[0]: | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, | MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a | prototype pollution-based XSS bypass. When an application uses | `DOMPurify.sanitize()` with the default configuration (no | `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution | gadget can inject permissive `tagNameCheck` and `attributeNameCheck` | regex values into `Object.prototype`, causing DOMPurify to allow | arbitrary custom elements with arbitrary attributes — including | event handlers — through sanitization. Version 3.4.0 fixes the | issue. CVE-2026-41239[1]: | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, | MathML, and SVG. Starting in version 1.0.10 and prior to version | 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from | untrusted HTML. This works in string mode but not with `RETURN_DOM` | or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating | frameworks like Vue 2. Version 3.4.0 patches the issue. CVE-2026-41240[2]: | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, | MathML, and SVG. Versions prior to 3.4.0 have an inconsistency | between FORBID_TAGS and FORBID_ATTR handling when function-based | ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR | at line 1214. The same fix was not applied to FORBID_TAGS. At line | 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the | short-circuit evaluation skips the FORBID_TAGS check entirely. This | allows forbidden elements to survive sanitization with their | attributes intact. Version 3.4.0 patches the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41238 https://www.cve.org/CVERecord?id=CVE-2026-41238 [1] https://security-tracker.debian.org/tracker/CVE-2026-41239 https://www.cve.org/CVERecord?id=CVE-2026-41239 [2] https://security-tracker.debian.org/tracker/CVE-2026-41240 https://www.cve.org/CVERecord?id=CVE-2026-41240 Please adjust the affected versions in the BTS as needed. ]