GHSA-h8r8-wccr-v5f2: DOMPurify is vulnerable to mutation-XSS via Re-Contextualization

March 27, 2026

A mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers. The vulnerable wrappers confirmed in browser behavior are script, xmp, iframe, noembed, noframes, and noscript. The payload remains seemingly benign after DOMPurify.sanitize(), but mutates during the second parse into executable markup with an event handler, enabling JavaScript execution in the client (alert(1) in the PoC).

References

github.com/advisories/GHSA-h8r8-wccr-v5f2
github.com/cure53/DOMPurify
github.com/cure53/DOMPurify/releases/tag/3.3.2
github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2

Code Behaviors & Features

Detect and mitigate GHSA-h8r8-wccr-v5f2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →