CVE-2026-41240 Overview
DOMPurify, a widely-used DOM-only cross-site scripting (XSS) sanitizer for HTML, MathML, and SVG, contains a vulnerability in versions prior to 3.4.0 that allows forbidden elements to bypass sanitization. The flaw stems from an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used, potentially enabling XSS attacks in applications relying on DOMPurify for input sanitization.
Critical Impact
Attackers can bypass the FORBID_TAGS security mechanism, allowing forbidden HTML elements to survive sanitization with their attributes intact, potentially leading to Cross-Site Scripting attacks.
Affected Products
- DOMPurify versions prior to 3.4.0
- Applications using DOMPurify with EXTRA_ELEMENT_HANDLING.tagCheck configurations
- Web applications relying on FORBID_TAGS for XSS protection
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41240 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41240
Vulnerability Analysis
This vulnerability (CWE-79: Cross-Site Scripting) arises from a logic flaw in DOMPurify's tag filtering mechanism. The issue was introduced when commit c361baa added an early exit optimization for FORBID_ATTR at line 1214, but the same protective fix was not consistently applied to FORBID_TAGS handling.
The core problem exists at lines 1118-1123 in the DOMPurify source code. When EXTRA_ELEMENT_HANDLING.tagCheck returns true, JavaScript's short-circuit evaluation causes the FORBID_TAGS check to be skipped entirely. This means that elements explicitly forbidden by the application's security policy can pass through the sanitization process unfiltered, along with their potentially malicious attributes.
Root Cause
The root cause is an inconsistent implementation of security checks between FORBID_ATTR and FORBID_TAGS when using function-based ADD_TAGS configuration. The FORBID_ATTR handling includes an early exit mechanism that prevents bypasses, but the FORBID_TAGS logic lacks this same protection. When the tagCheck function returns a truthy value, the logical OR (||) operator causes short-circuit evaluation, preventing the subsequent FORBID_TAGS validation from executing.
Attack Vector
An attacker can exploit this vulnerability by crafting HTML input containing elements that are listed in FORBID_TAGS but can pass the EXTRA_ELEMENT_HANDLING.tagCheck function. When DOMPurify processes this input:
- The tagCheck function evaluates the element
- If tagCheck returns true, short-circuit evaluation occurs
- The FORBID_TAGS check is never executed
- The forbidden element survives sanitization with attributes intact
- This can lead to XSS execution if the forbidden element contains event handlers or script content
/* Parse profile info */
if (USE_PROFILES) {
ALLOWED_TAGS = addToSet({}, text);
- ALLOWED_ATTR = [];
+ ALLOWED_ATTR = create(null);
if (USE_PROFILES.html === true) {
addToSet(ALLOWED_TAGS, html$1);
addToSet(ALLOWED_ATTR, html);
Source: GitHub Commit c361baa
Detection Methods for CVE-2026-41240
Indicators of Compromise
- Unexpected HTML elements appearing in sanitized output that should have been blocked by FORBID_TAGS
- XSS payloads executing in applications using DOMPurify with custom EXTRA_ELEMENT_HANDLING configurations
- Web application firewall logs showing unusual HTML tag combinations in POST requests
Detection Strategies
- Review application code for DOMPurify configurations using EXTRA_ELEMENT_HANDLING.tagCheck in combination with FORBID_TAGS
- Implement automated testing to verify that all FORBID_TAGS elements are properly blocked regardless of tagCheck results
- Audit JavaScript dependencies using npm audit or similar tools to identify vulnerable DOMPurify versions
Monitoring Recommendations
- Monitor content security policy (CSP) violation reports for inline script execution attempts
- Enable verbose logging on input sanitization functions to detect unexpected element passthrough
- Set up dependency scanning in CI/CD pipelines to alert on vulnerable DOMPurify versions
How to Mitigate CVE-2026-41240
Immediate Actions Required
- Upgrade DOMPurify to version 3.4.0 or later immediately
- Audit all DOMPurify configurations using EXTRA_ELEMENT_HANDLING with FORBID_TAGS
- Implement additional input validation layers until patching is complete
- Review recent user-generated content for potential exploitation attempts
Patch Information
The vulnerability is addressed in DOMPurify version 3.4.0. The patch ensures consistent handling between FORBID_TAGS and FORBID_ATTR by preventing short-circuit evaluation from bypassing forbidden element checks. The fix modifies the ALLOWED_ATTR initialization to use create(null) instead of an empty array, and adds proper checks to prevent the tagCheck short-circuit bypass.
For detailed patch information, see the GitHub Security Advisory GHSA-h7mw-gpvr-xq4m and the DOMPurify 3.4.0 Release.
Workarounds
- Avoid using EXTRA_ELEMENT_HANDLING.tagCheck in combination with FORBID_TAGS until upgrade is possible
- Implement server-side validation as a secondary layer of protection
- Use Content Security Policy (CSP) headers to mitigate potential XSS impact
# Upgrade DOMPurify via npm
npm update dompurify@3.4.0
# Verify installed version
npm list dompurify
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
