CVE-2026-41238 Overview
CVE-2026-41238 affects DOMPurify, a DOM-only cross-site scripting (XSS) sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 contain a prototype pollution-based XSS bypass. When an application calls DOMPurify.sanitize() with the default configuration, a prior prototype pollution gadget can inject permissive tagNameCheck and attributeNameCheck regex values into Object.prototype. This causes DOMPurify to allow arbitrary custom elements with arbitrary attributes, including event handlers, through the sanitization pipeline. Version 3.4.0 fixes the issue. The flaw is categorized as [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers with an existing prototype pollution primitive can bypass DOMPurify sanitization and execute arbitrary JavaScript in the victim's browser context.
Affected Products
- DOMPurify versions 3.0.1 through 3.3.3
- Applications using DOMPurify.sanitize() with default configuration
- Web applications that lack CUSTOM_ELEMENT_HANDLING overrides
Discovery Timeline
- 2026-04-23 - CVE-2026-41238 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41238
Vulnerability Analysis
DOMPurify exposes a CUSTOM_ELEMENT_HANDLING configuration object that controls which custom element tag names and attribute names pass sanitization. The object contains two regex fields, tagNameCheck and attributeNameCheck, which default to restrictive values. When a developer omits CUSTOM_ELEMENT_HANDLING from the sanitize options, DOMPurify reads these properties from the configuration prototype chain.
If an attacker has already polluted Object.prototype with permissive regex values for these properties, every sanitize call inherits the attacker-controlled checks. The sanitizer then accepts arbitrary custom element names and any attribute on those elements, including DOM event handlers such as onload or onerror. The result is a stored or reflected XSS bypass that defeats DOMPurify's primary security guarantee.
Root Cause
The root cause is unsafe property lookup on a configuration object without a null prototype. DOMPurify trusts that config.CUSTOM_ELEMENT_HANDLING.tagNameCheck is either developer-supplied or undefined, but JavaScript prototype semantics return values planted on Object.prototype when the own property is absent.
Attack Vector
Exploitation requires two preconditions. First, the target application must contain a separate prototype pollution gadget reachable through user input, such as an unsafe Object.assign or recursive merge. Second, the application must invoke DOMPurify.sanitize() without supplying its own CUSTOM_ELEMENT_HANDLING block.
The attacker first triggers the prototype pollution to set Object.prototype.CUSTOM_ELEMENT_HANDLING to an object whose tagNameCheck and attributeNameCheck match any string. The attacker then submits HTML containing a custom element with an event handler attribute. DOMPurify consults the polluted prototype, treats the payload as permitted, and the rendered output executes attacker JavaScript.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-v9jr-rg53-9pgp for technical details from the maintainers.
Detection Methods for CVE-2026-41238
Indicators of Compromise
- Outbound DOM mutations that introduce unknown custom elements containing inline event handler attributes such as onload, onerror, or onclick.
- Browser console errors or Content Security Policy violation reports referencing inline script execution from sanitized contexts.
- Application logs showing requests that set deeply nested keys like __proto__.CUSTOM_ELEMENT_HANDLING or constructor.prototype.tagNameCheck.
Detection Strategies
- Inventory all front-end and server-side bundles for DOMPurify versions between 3.0.1 and 3.3.3 using Software Composition Analysis (SCA) tooling.
- Add runtime checks that assert Object.prototype.CUSTOM_ELEMENT_HANDLING is undefined before invoking DOMPurify.sanitize().
- Review JSON parsing and object-merge utilities for prototype pollution sinks that could supply the precondition gadget.
Monitoring Recommendations
- Deploy CSP report-only headers and forward report-uri events to a centralized log store for review of unexpected script execution.
- Monitor web application firewall (WAF) telemetry for request bodies containing __proto__, constructor, or prototype keys.
- Track DOMPurify release notes and dependency manifests in CI to flag regressions to vulnerable versions.
How to Mitigate CVE-2026-41238
Immediate Actions Required
- Upgrade DOMPurify to version 3.4.0 or later across all client-side and server-side rendering pipelines.
- Audit application code for prototype pollution sinks and patch them, since this CVE depends on a chained pollution gadget.
- Explicitly pass a CUSTOM_ELEMENT_HANDLING block to every DOMPurify.sanitize() call to prevent prototype chain inheritance.
Patch Information
The maintainers released the fix in DOMPurify 3.4.0. The release hardens configuration property lookups so that prototype-polluted values cannot override the defaults. Refer to the GitHub Security Advisory GHSA-v9jr-rg53-9pgp for advisory metadata.
Workarounds
- Freeze Object.prototype at application startup using Object.freeze(Object.prototype) to block pollution writes.
- Construct sanitize configuration with Object.create(null) so the configuration object has no inherited properties.
- Use a Content Security Policy that disallows inline event handlers and unsafe-inline script execution as a defense-in-depth layer.
# Configuration example
npm install dompurify@^3.4.0
npm ls dompurify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
