DOMPurify, Security Bypass, CVE-2024-6780 (Medium)

The vulnerability exists in DOMPurify’s tag filtering logic within `src/purify.ts` at lines 1117–1123. The core issue is a short‑circuit evaluation in the conditional that determines whether an element should be kept or discarded. The condition is:

`!(tagCheck(tagName)) && (!ALLOWED_TAGS

 || FORBID_TAGS[bash])`</h2>

When `tagCheck(tagName)` returns <code>true</code>, the expression short‑circuits: the entire condition becomes `false` without ever evaluating <code>FORBID_TAGS[bash]</code>. Consequently, the element is kept even if it appears in <code>FORBID_TAGS</code>. This contradicts the attribute‑side logic at line 1214, where `FORBID_ATTR` is explicitly checked first:

<h2 style="color: blue;">`if (FORBID_ATTR[bash]) { continue; }`</h2>

For tags, `FORBID_TAGS` should take precedence over `ADD_TAGS` (the function provided via <code>EXTRA_ELEMENT_HANDLING.tagCheck</code>). The flaw allows a forbidden tag to bypass the sanitizer when `ADD_TAGS` is configured as a function. The impact is configuration‑dependent but represents a genuine logic inconsistency. The suggested fix is to check `FORBID_TAGS` before <code>tagCheck</code>:
`if (FORBID_TAGS[bash]) { / remove / } else if (tagCheck(tagName) || ALLOWED_TAGS[bash]) { / keep / }`


<h2 style="color: blue;">The affected version is v3.3.3 (commit 883ac15).</h2>

<h2 style="color: blue;">DailyCVE Form</h2>

Platform: DOMPurify
Version: v3.3.3
Vulnerability: tag bypass
Severity: Medium
Date: 2024-07-16

<h2 style="color: blue;">Prediction: 2024-08-15</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Check if a vulnerable version is installed
npm list dompurify | grep "[email protected]"
Simulate the vulnerable condition
node -e "const DOMPurify = require('dompurify'); const cfg = { EXTRA_ELEMENT_HANDLING: { tagCheck: () => true }, FORBID_TAGS: ['script'] }; console.log(DOMPurify.sanitize('<script>alert(1)</script>', cfg));"

Exploit:

The flaw can be triggered by supplying an `ADD_TAGS` function that always returns true, thereby short‑circuiting the `FORBID_TAGS` check. An attacker can craft a payload with a forbidden tag (e.g., <script>) that will be preserved in the sanitized output because `FORBID_TAGS[bash]` is never evaluated.

Protection from this CVE:

• Upgrade to a patched version of DOMPurify (v3.3.4 or later) as soon as it is available.
• Avoid configuring `ADD_TAGS` as a function that unconditionally returns `true` while simultaneously relying on FORBID_TAGS.
• Review custom `EXTRA_ELEMENT_HANDLING` configurations to ensure they do not inadvertently bypass security checks.

Impact:

• An attacker can bypass the sanitizer and inject malicious tags that should have been blocked by FORBID_TAGS.
• The severity is configuration‑dependent, but in the worst case it can lead to cross‑site scripting (XSS) if a forbidden tag like `
  

  Manage Consent

  To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.

  We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.

  Functional Functional Always active

  Preferences Preferences

  Statistics Statistics

  Marketing Marketing

  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes

  Accept Deny View preferences Save preferences View preferences

  • {title}
  • {title}
  • {title}
  Manage consent
  Scroll to Top