CVE-2026-41238 Overview
CVE-2026-41238 is a prototype pollution-based Cross-Site Scripting (XSS) bypass vulnerability affecting DOMPurify, a widely-used DOM-only XSS sanitizer for HTML, MathML, and SVG. This vulnerability allows attackers to bypass DOMPurify's sanitization mechanisms when a prior prototype pollution gadget exists in the application, potentially enabling the injection of malicious scripts through custom elements with event handlers.
Critical Impact
Attackers can bypass DOMPurify sanitization to inject arbitrary custom elements with event handlers, enabling XSS attacks on applications relying on DOMPurify for user input sanitization.
Affected Products
- DOMPurify versions 3.0.1 through 3.3.3
- Applications using DOMPurify.sanitize() with default configuration
- Web applications without CUSTOM_ELEMENT_HANDLING option configured
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41238 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41238
Vulnerability Analysis
This vulnerability represents a sophisticated XSS bypass that chains prototype pollution with DOMPurify's custom element handling logic. The attack requires a pre-existing prototype pollution vulnerability in the target application, which then enables the bypass of DOMPurify's sanitization. The network-accessible nature of this attack combined with the potential for high confidentiality impact makes it a significant concern for web applications relying on DOMPurify as their primary XSS defense layer.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting vulnerabilities. When successfully exploited, attackers can execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or malicious actions on behalf of the user.
Root Cause
The root cause lies in how DOMPurify handles the CUSTOM_ELEMENT_HANDLING configuration option. When applications use DOMPurify.sanitize() with the default configuration (without explicitly setting CUSTOM_ELEMENT_HANDLING), the library reads tagNameCheck and attributeNameCheck values that can be polluted through Object.prototype.
An attacker who has already achieved prototype pollution in the application can inject permissive regex values into Object.prototype.tagNameCheck and Object.prototype.attributeNameCheck. These injected values cause DOMPurify to incorrectly validate and allow arbitrary custom elements with arbitrary attributes—including dangerous event handlers like onclick, onerror, and onload—to pass through sanitization untouched.
Attack Vector
The attack requires two stages: first, the attacker must exploit a separate prototype pollution vulnerability in the target application to pollute Object.prototype with malicious tagNameCheck and attributeNameCheck regex patterns. These patterns are crafted to match any tag or attribute name, effectively disabling DOMPurify's element and attribute filtering.
Once the prototype is polluted, subsequent calls to DOMPurify.sanitize() will allow custom elements with event handler attributes through the sanitization process. When the sanitized output is inserted into the DOM, the malicious event handlers execute, achieving XSS. The attack can be delivered over the network and requires user interaction (such as viewing a page containing the malicious content), but can affect other origins due to the changed scope characteristic of XSS vulnerabilities.
Detection Methods for CVE-2026-41238
Indicators of Compromise
- Unexpected custom HTML elements appearing in sanitized output with event handler attributes
- Prototype pollution patterns in JavaScript logs or error monitoring (e.g., modifications to Object.prototype.tagNameCheck)
- XSS payloads containing custom elements like <custom-tag onerror="malicious_code"> in web application logs
- Client-side JavaScript errors related to unexpected object property access patterns
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor for prototype pollution attempts using JavaScript runtime monitoring or security libraries like Object.freeze(Object.prototype)
- Deploy web application firewalls (WAF) with rules to detect XSS payloads containing custom elements with event handlers
- Use SentinelOne Singularity XDR to detect anomalous JavaScript execution patterns and prototype manipulation activities
Monitoring Recommendations
- Enable verbose logging for DOMPurify operations in development and staging environments
- Monitor client-side error reporting for unexpected prototype property access
- Implement real-time alerting for CSP violation reports indicating potential XSS attempts
- Review application dependencies for known prototype pollution vulnerabilities that could enable this attack chain
How to Mitigate CVE-2026-41238
Immediate Actions Required
- Upgrade DOMPurify to version 3.4.0 or later immediately
- Audit applications for existing prototype pollution vulnerabilities that could enable this attack
- Implement explicit CUSTOM_ELEMENT_HANDLING configuration as a defense-in-depth measure
- Consider freezing Object.prototype in security-critical applications to prevent prototype pollution
Patch Information
The vulnerability is fixed in DOMPurify version 3.4.0. The patch addresses the unsafe reading of tagNameCheck and attributeNameCheck from potentially polluted prototype chains. Organizations should update their DOMPurify dependency through their package manager.
For detailed patch information, refer to the GitHub Release Notes and the GitHub Security Advisory.
Workarounds
- Explicitly configure CUSTOM_ELEMENT_HANDLING with restrictive tagNameCheck and attributeNameCheck functions that do not rely on prototype chain lookups
- Implement prototype pollution protection by freezing Object.prototype using Object.freeze(Object.prototype) before any user-controlled JavaScript executes
- Use strict Content Security Policy headers to mitigate the impact of successful XSS bypass
- Validate and sanitize all user inputs at multiple layers, not relying solely on client-side sanitization
# Update DOMPurify using npm
npm update dompurify@3.4.0
# Or install the specific patched version
npm install dompurify@3.4.0 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
