Back

DOMPurify Library Bypasses Expose XSS Vulnerabilities

Severity: Medium (Score: 54.9)

Sources: portswigger.net, Slcyber, developer.chrome.com, mizu.re, www.securitum.com

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: dompurify, bypasses, mutation, bypass, chrome, sanitizer, site

Summary

Recent analyses have uncovered multiple bypasses in the DOMPurify library, a widely used HTML sanitizer, which could lead to Cross-Site Scripting (XSS) vulnerabilities. The vulnerabilities stem from parsing and serialization issues within the library, allowing attackers to exploit the sanitization process. Specifically, a mutation XSS vulnerability was identified in DOMPurify versions 2.0.17 and later, affecting web applications relying on this library for sanitizing user-generated content. The vulnerabilities were detailed in multiple articles published on May 22, 2026, highlighting the need for developers to review their implementations. The introduction of the Sanitizer API in Chrome and Firefox aims to mitigate these issues by eliminating the serialization round trip. However, two bypasses for this new API were also reported, indicating ongoing risks. Developers are urged to stay informed about these vulnerabilities and consider adopting the newer Sanitizer API for enhanced security. Key Points: • Multiple bypasses in DOMPurify expose XSS vulnerabilities in web applications. • DOMPurify versions 2.0.17 and later are particularly affected by these issues. • The new Sanitizer API aims to address these vulnerabilities but has its own bypass risks.

Detailed Analysis

**Impact** Web applications using DOMPurify versions prior to 3.1.0 and Chrome’s Sanitizer API in versions around 146 are vulnerable to Cross-Site Scripting (XSS) via mutation-based bypasses. This affects any sector relying on client-side HTML sanitization, including finance, healthcare, and e-commerce, globally. The vulnerabilities can lead to unauthorized script execution, data theft, session hijacking, and potential compromise of user credentials or sensitive data. No specific incident counts or geographic concentrations were reported. **Technical Details** The attack exploits inconsistencies in HTML parsing and serialization, particularly involving namespace handling (SVG, MathML) and form element nesting, leading to mutation XSS. DOMPurify’s serialize-parse roundtrip allows malformed DOM trees that mutate upon re-parsing, bypassing sanitization. Chrome’s Sanitizer API bypasses leverage strict attribute name comparisons and SVG animation attributes like `xlink:href` to inject malicious payloads. No CVEs were explicitly mentioned. The attack occurs during the sanitization and DOM insertion phases of the kill chain. **Recommended Response** Upgrade DOMPurify to version 3.1.0 or later, which addresses these bypasses. For Chrome users, apply the latest browser updates beyond version 146 that include Sanitizer API fixes. Avoid using serialization-based sanitization; prefer APIs returning sanitized DOM trees directly. Monitor for unusual DOM mutations and injection patterns involving SVG and MathML namespaces. Implement Content Security Policy (CSP) to mitigate script execution risks.

Source articles (5)

  • Mutation Xss Via Mathml Mutation Dompurify 2 0 17 Bypass — www.securitum.com · 2026-05-22
    To provide the highest level of service we use cookies on this site. Your continued use of the site means that you agree to their use in accordance with our terms and conditions . In this blogpost I'l…
  • Escape Attributes — developer.chrome.com · 2026-05-22
    On May 20, 2025, the HTML specification was updated to escape in attributes, helping prevent mutation XSS (mXSS) vulnerabilities. This change landed in Chrome 138, which was to Beta on May 28, 2025, a…
  • Bypassing Dompurify Again With Mutation Xss — portswigger.net · 2026-05-22
  • Two Bypasses for Chrome's Sanitizer API › Searchlight Cyber — Slcyber · 2026-05-22
    The Sanitizer API arrived with much fanfare in both Chrome 146 and Firefox 148 just a few months ago. The API provides two new ways to set HTML safely from within javascript; the default mode: And the…
  • Exploring The Dompurify Library Bypasses And Fixes — mizu.re · 2026-05-22
    This article will be part of a two-article series focusin📜 Introductionel free to skip to " DOMPurify 3.1.0 bypass (found by @IceFont 👑) ". Before diving into the technical details, I believe it's imp…

Timeline

  • 2024-04-26 — Full DOMPurify bypass reported: A complete bypass of DOMPurify was disclosed by @cure53berlin, highlighting vulnerabilities in the library.
  • 2026-05-22 — Mutation XSS vulnerability detailed: A recent blog post explained how a mutation XSS vulnerability in DOMPurify 2.0.17 can be exploited, affecting many web applications.
  • 2026-05-22 — Sanitizer API bypasses reported: Two bypasses for the new Sanitizer API in Chrome were disclosed, emphasizing the ongoing risks in web sanitization.

Related entities

  • XSS (Vulnerability)
  • MXSS (Vulnerability)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • elements.as (Domain)
  • sanitizer.cc (Domain)
  • T1059.007 - JavaScript (Mitre Attack)
  • Chrome (Tool)
  • JavaScript (Tool)
  • Bluemonday (Tool)
  • DOMParser (Tool)
  • DOMPurify (Tool)
  • Mermaid.js (Tool)
  • Pybluemonday (Tool)
  • Chromium (Platform)
  • Firefox (Platform)
  • HTML (Platform)
  • Pyodide (Platform)
  • PyScript (Platform)
  • Ruby (Platform)
  • Safari (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed