DOMPurify Regular Expression Vulnerability Leading to Mutation Cross-Site Scripting

A vulnerability in DOMPurify versions prior to 3.2.4 allows for mutation cross-site scripting (mXSS) due to an incorrect regular expression handling template literals. This flaw can be exploited by injecting comments into attribute values, bypassing DOMPurify's sanitization and leading to XSS vulnerabilities.

Impact

Exploitation of this vulnerability allows for mutation cross-site scripting, where injected payloads can be executed in the context of the user.

Reproduction

The vulnerability can be reproduced by using DOMPurify 3.2.3 with the 'SAFE_FOR_TEMPLATES' option enabled. Inject comments in a way that they are treated as text during the first parsing by DOMPurify, but as comments in the second parsing by the browser. This can be achieved by wrapping the comments in a specific payload and placing them in attribute values of elements that will be processed after the comments are parsed.

Remediation

Users can upgrade to DOMPurify version 3.2.4, which addresses this vulnerability by correcting the template literal regular expression to prevent the config-dependent bypass.