CVE-2026-0540 Overview
DOMPurify, the popular DOM-only XSS sanitization library developed by Cure53, contains a cross-site scripting (XSS) vulnerability in versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8. The vulnerability allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex pattern. When sanitized output is placed inside these unprotected rawtext contexts, malicious payloads can execute JavaScript in the victim's browser.
Critical Impact
Attackers can bypass DOMPurify's attribute sanitization and achieve JavaScript execution by crafting payloads that exploit missing rawtext element handling, such as </noscript><img src=x onerror=alert(1)> in attribute values.
Affected Products
- Cure53 DOMPurify versions 3.1.3 through 3.3.1
- Cure53 DOMPurify versions 2.5.3 through 2.5.8
- Web applications using affected DOMPurify versions for HTML sanitization
Discovery Timeline
- 2026-03-03 - CVE CVE-2026-0540 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-0540
Vulnerability Analysis
This vulnerability represents a bypass of DOMPurify's XSS sanitization mechanisms, specifically affecting the SAFE_FOR_XML mode. The library is designed to sanitize HTML and prevent XSS attacks by stripping or neutralizing potentially malicious content. However, the regex pattern used to detect dangerous content within attribute values failed to account for five specific rawtext elements: noscript, xmp, noembed, noframes, and iframe.
When DOMPurify processes HTML content with the SAFE_FOR_XML option enabled, it applies regex-based filtering to attribute values to detect closing tags that could break out of element contexts. The incomplete regex allowed attackers to craft payloads containing closing tags for these unhandled rawtext elements, effectively bypassing the sanitization and enabling script execution.
The vulnerability is particularly concerning because DOMPurify is widely deployed as a security control across numerous web applications and frameworks. Applications that render DOMPurify-sanitized content within rawtext elements (such as <noscript> blocks) are directly vulnerable to XSS exploitation.
Root Cause
The root cause lies in an incomplete regex pattern within DOMPurify's attribute sanitization logic. The SAFE_FOR_XML regex was originally designed to detect and block closing tags like </style> and </title> within attribute values, which could otherwise be used to break out of those contexts. However, the regex did not include coverage for additional rawtext elements (noscript, xmp, noembed, noframes, iframe, textarea), creating a gap that attackers could exploit.
The original regex pattern /((--!?|])>)|<\/(style|title)/i only matched style and title closing tags, leaving the other rawtext elements completely unprotected against this class of context-escaping attacks.
Attack Vector
The attack requires network access and involves crafting malicious HTML input that exploits the regex gap. An attacker can inject a payload containing a closing rawtext tag followed by executable JavaScript. For example, if an application uses DOMPurify to sanitize user input and then renders the output inside a <noscript> element, the attacker can use a payload like:
</noscript><img src=x onerror=alert(1)>
When this payload passes through the incomplete sanitization and is rendered within a <noscript> context, the closing tag breaks out of the rawtext element, allowing the subsequent <img> tag's onerror handler to execute JavaScript.
The following patch demonstrates how Cure53 addressed this vulnerability by extending the regex to include the textarea element:
value = SANITIZE_NAMED_PROPS_PREFIX + value;
}
/* Work around a security issue with comments inside attributes */
- if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
+ if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title|textarea)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}
Source: GitHub DOMPurify Commit
Detection Methods for CVE-2026-0540
Indicators of Compromise
- HTTP requests containing rawtext element closing tags (</noscript>, </xmp>, </noembed>, </noframes>, </iframe>) in input parameters
- Web application logs showing unusual attribute values with embedded HTML closing tags
- JavaScript errors or unexpected script execution originating from DOMPurify-sanitized content areas
- User reports of unexpected pop-ups or script behavior on pages rendering sanitized HTML
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block payloads containing rawtext closing tags followed by script elements
- Monitor client-side JavaScript errors that indicate XSS payload execution attempts
- Use Content Security Policy (CSP) violation reports to identify attempted inline script execution
- Perform regular dependency scanning to identify applications using vulnerable DOMPurify versions
Monitoring Recommendations
- Enable detailed logging for all user input processing through DOMPurify sanitization
- Set up alerts for CSP violations indicating inline-script or eval attempts
- Monitor npm/yarn audit outputs for known vulnerabilities in dompurify package
- Implement real-time tracking of JavaScript runtime errors that may indicate XSS exploitation attempts
How to Mitigate CVE-2026-0540
Immediate Actions Required
- Update DOMPurify to version 3.3.2 or later (for 3.x branch) or the latest patched 2.x version
- Audit application code to identify where DOMPurify-sanitized output is rendered within rawtext elements
- Review and strengthen Content Security Policy headers to block inline script execution as a defense-in-depth measure
- Consider temporarily disabling SAFE_FOR_XML mode if immediate patching is not possible and XML safety is not required
Patch Information
Cure53 has released a security fix in commit fca0a938b4261ddc9c0293a289935a9029c049f5 that improves the regex patterns for rawtext tag handling. The patch extends the SAFE_FOR_XML regex to include additional dangerous closing tags that could be used for context escaping. Organizations using DOMPurify should update to the latest patched version immediately. For detailed patch information, refer to the GitHub DOMPurify Commit Changes.
Workarounds
- Avoid rendering DOMPurify-sanitized content inside rawtext elements (noscript, xmp, noembed, noframes, iframe) until patched
- Implement additional server-side validation to strip rawtext closing tags from user input before DOMPurify processing
- Deploy strict Content Security Policy headers with script-src directives that block inline scripts and unsafe-eval
- Use HTML encoding as an additional layer when outputting sanitized content within rawtext contexts
# Update DOMPurify via npm
npm update dompurify@latest
# Verify installed version
npm list dompurify
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
