SB2026052785 - Multiple vulnerabilities in DOMPurify

Description

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in the context of the application.

The vulnerability exists due to improper input validation in the IN_PLACE sanitization mode when processing attacker-supplied DOM objects with attacker-controlled nodeName values on live non-form nodes. A remote attacker can supply a crafted DOM object to retain script-capable content and execute arbitrary script code in the context of the application.

The issue involves script retention on live non-form nodes.

2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in template content sanitization when processing HTML containing a template element with an attached shadow root inside template.content. A remote attacker can supply crafted HTML that survives sanitization to execute arbitrary script in the victim's browser.

Exploitation occurs when the application clones the template and inserts the result into the page.

Remediation

Install update from vendor's website.

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-x4vx-rjvf-j5p4
• https://github.com/cure53/DOMPurify/security/advisories/GHSA-rp9w-3fw7-7cwq
• https://github.com/user-attachments/files/28275600/advisory.pdf