GHSA-vxr8-fq34-vvx9: DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output

June 15, 2026

A DOMPurify instance that is reused across trust boundaries can stay bound to a previously supplied TRUSTED_TYPES_POLICY even after clearConfig() is called. A later caller that requests RETURN_TRUSTED_TYPE receives a TrustedHTML object created by the old policy, not by a clean default configuration.

References

github.com/advisories/GHSA-vxr8-fq34-vvx9
github.com/cure53/DOMPurify/security/advisories/GHSA-vxr8-fq34-vvx9

Code Behaviors & Features

Detect and mitigate GHSA-vxr8-fq34-vvx9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →