DOMPurify v3 Security Update Patches Critical mXSS Vulnerability (GHSA-h8r8-wccr-v5f2)

A critical mutation-XSS (mXSS) vulnerability in the widely-used DOMPurify HTML sanitization library has been patched, forcing a major version update from 2.3.8 to 3.3.2. The flaw, tracked as GHSA-h8r8-wccr-v5f2, allows malicious payloads to bypass sanitization and execute when sanitized HTML is reinserted into a new parsing context using `innerHTML`. This creates a dangerous scenario where code that appears safe can become weaponized upon re-parsing, a common pattern in dynamic web applications.

The vulnerability is triggered by specific HTML wrapper elements, including `script`, `xmp`, `iframe`, `noembed`, `noframes`, and `noscript`. When sanitized content containing these wrappers is moved via `innerHTML`, browser parsing behavior can mutate the sanitized markup, reactivating hidden scripts. This mXSS condition means the payload remains seemingly benign after the initial DOMPurify sanitization pass, only to become active and dangerous in a subsequent rendering step, making detection and prevention exceptionally difficult.

The mandatory update to DOMPurify v3 places immediate pressure on thousands of dependent projects and their security teams. Any application that uses DOMPurify for user-generated content, rich text editors, or comment systems and subsequently manipulates that sanitized DOM is potentially at risk until the patch is applied. This vulnerability underscores the persistent and evolving threat of mutation-based XSS attacks, which exploit the gap between sanitization logic and browser parsing quirks, demanding vigilant dependency management across the software supply chain.