Description
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
References (4)
Core 4
Core References
Exploit, Third Party Advisory
https://ensy.zip/posts/dompurify-323-bypass/
Release Notes
https://github.com/cure53/DOMPurify/releases/tag/3.2.4
Exploit, Third Party Advisory
https://nsysean.github.io/posts/dompurify-323-bypass/
Scores
CVSS v3
4.5
EPSS
0.0011
EPSS Percentile
29.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
cure53/dompurify
< 3.2.4
npm/dompurify
0 - 3.2.4npm
Published
Feb 14, 2025
Tracked Since
Feb 18, 2026