Common Weakness Enumeration

CWE-693

Discouraged

Protection Mechanism Failure

Abstraction: Pillar · Status: Draft

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

979 vulnerabilities reference this CWE, most recent first.

GHSA-6W5W-J428-GFP7

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Protection mechanism failure in the SPP for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:22Z",
    "severity": "HIGH"
  },
  "details": "Protection mechanism failure in the SPP for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-6w5w-j428-gfp7",
  "modified": "2024-11-13T21:30:37Z",
  "published": "2024-11-13T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36242"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01196.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6W9X-GQPR-3FJH

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:19:13Z",
    "severity": "MODERATE"
  },
  "details": "In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.",
  "id": "GHSA-6w9x-gqpr-3fjh",
  "modified": "2026-06-17T18:35:42Z",
  "published": "2026-06-17T18:35:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48571"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/android-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WQQ-M34G-CHQP

Vulnerability from github – Published: 2023-01-14 03:30 – Updated: 2025-04-07 21:31
VLAI
Details

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-14T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.",
  "id": "GHSA-6wqq-m34g-chqp",
  "modified": "2025-04-07T21:31:48Z",
  "published": "2023-01-14T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23589"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-11"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6X33-PW7P-HMPQ

Vulnerability from github – Published: 2020-09-04 17:59 – Updated: 2024-01-29 20:57
VLAI
Summary
Denial of Service in http-proxy
Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:01:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function.   \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception:  \n```curl -XPOST http://localhost:3000 -d \"$(python -c \u0027print(\"x\"*1025)\u0027)\"```\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later",
  "id": "GHSA-6x33-pw7p-hmpq",
  "modified": "2024-01-29T20:57:00Z",
  "published": "2020-09-04T17:59:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http-party/node-http-proxy/pull/1447/commits/4718119ffbe895aecd9be0d6430357d44b4c7fd3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http-party/node-http-proxy/pull/1447/files"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1486"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in http-proxy"
}

GHSA-6XCG-8GP2-J443

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Microsoft Office Security Feature Bypass Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:16:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Office Security Feature Bypass Vulnerability",
  "id": "GHSA-6xcg-8gp2-j443",
  "modified": "2025-01-14T18:32:05Z",
  "published": "2025-01-14T18:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21346"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21346"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72W7-MF9G-733P

Vulnerability from github – Published: 2026-06-26 20:33 – Updated: 2026-06-26 20:33
VLAI
Summary
nono-py has proxy-only network fallback bypass on older Linux kernels
Details

Summary

On Linux kernels that do not support Landlock network rules, nono_py.sandboxed_exec() could run CapabilitySet.proxy_only(proxy) without supervising the seccomp-notify proxy-only fallback returned by the Rust core.

In that configuration, a sandboxed child process could remove HTTP_PROXY / HTTPS_PROXY environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy.

The issue affects proxy-only enforcement. It does not mean that all nono-py network blocking is ineffective. ECS validation showed caps.block_network() denied regular TCP and ECS metadata TCP on the tested Linux 6.1 host.

Impact

The intended proxy_only() security property is:

  • child processes may connect only to the local nono proxy port
  • the proxy enforces host allowlists and metadata/link-local denial
  • direct TCP to any other target is denied

Before the fix, on kernels without Landlock AccessNet, the Python binding applied the sandbox and then executed the child, but did not install and supervise the proxy-only seccomp-notify fallback. A child could therefore bypass the proxy layer in that old-kernel path.

The highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed.

Affected Conditions

The issue requires all of the following:

  • Linux runtime.
  • Kernel without Landlock network support, such as Linux 6.1. Landlock network rules require Landlock ABI v4 / Linux 6.7 or newer.
  • nono_py.sandboxed_exec() is used.
  • The capability set uses caps.proxy_only(proxy).
  • The child process removes or ignores proxy environment variables, or uses raw sockets.

macOS Seatbelt proxy-only enforcement is not affected by this Linux seccomp-notify fallback issue.

Affected Versions

Known affected builds include nono-py versions that expose and use CapabilitySet.proxy_only() through sandboxed_exec() before the supervised fallback fix in this working tree.

Earlier versions that did not expose CapabilitySet.proxy_only() are not affected by this specific proxy-only enforcement bug, though they may have separate environment-inheritance risks if callers passed broad parent environment variables into sandboxed children.

CVSS Score Rationale

Metric Value Rationale
Attack Vector (AV) L — Local Exploit is performed by a local process (unsetting env vars or opening raw sockets). Not remotely triggerable.
Attack Complexity (AC) H — High All of the following must be true: Linux runtime; kernel < 6.7 (no Landlock ABI v4); sandboxed_exec() used; capability set calls proxy_only(); child actively bypasses proxy env vars or uses raw sockets.
Privileges Required (PR) L — Low Attacker is already executing code inside the sandbox — some user-level privilege is required to get there.
User Interaction (UI) N — None No action from a user or operator is needed once the sandboxed child is running.
Scope (S) C — Changed The exploit crosses the sandbox security boundary, allowing the child to reach network resources outside the defined policy scope.
Confidentiality (C) H — High Highest-impact path: direct TCP to cloud metadata endpoint (169.254.169.254) yields IAM / task credentials.
Integrity (I) L — Low Attacker can make arbitrary outbound requests; no direct data modification from the bypass itself, but lateral credential use creates indirect risk.
Availability (A) N — None No denial-of-service impact described or implied.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nono-py"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:33:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nOn Linux kernels that do not support Landlock network rules, `nono_py.sandboxed_exec()` could run `CapabilitySet.proxy_only(proxy)` without supervising the seccomp-notify proxy-only fallback returned by the Rust core.\n\nIn that configuration, a sandboxed child process could remove `HTTP_PROXY` / `HTTPS_PROXY` environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy.\n\nThe issue affects proxy-only enforcement. It does not mean that all nono-py network blocking is ineffective. ECS validation showed `caps.block_network()` denied regular TCP and ECS metadata TCP on the tested Linux 6.1 host.\n\n## Impact\n\nThe intended `proxy_only()` security property is:\n\n- child processes may connect only to the local nono proxy port\n- the proxy enforces host allowlists and metadata/link-local denial\n- direct TCP to any other target is denied\n\nBefore the fix, on kernels without Landlock `AccessNet`, the Python binding applied the sandbox and then executed the child, but did not install and supervise the proxy-only seccomp-notify fallback. A child could therefore bypass the proxy layer in that old-kernel path.\n\nThe highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed.\n\n## Affected Conditions\n\nThe issue requires all of the following:\n\n- Linux runtime.\n- Kernel without Landlock network support, such as Linux 6.1. Landlock network rules require Landlock ABI v4 / Linux 6.7 or newer.\n- `nono_py.sandboxed_exec()` is used.\n- The capability set uses `caps.proxy_only(proxy)`.\n- The child process removes or ignores proxy environment variables, or uses raw sockets.\n\nmacOS Seatbelt proxy-only enforcement is not affected by this Linux seccomp-notify fallback issue.\n\n## Affected Versions\n\nKnown affected builds include nono-py versions that expose and use `CapabilitySet.proxy_only()` through `sandboxed_exec()` before the supervised fallback fix in this working tree.\n\nEarlier versions that did not expose `CapabilitySet.proxy_only()` are not affected by this specific proxy-only enforcement bug, though they may have separate environment-inheritance risks if callers passed broad parent environment variables into sandboxed children.\n\n\n**CVSS Score Rationale**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| **Attack Vector (AV)** | L \u2014 Local | Exploit is performed by a local process (unsetting env vars or opening raw sockets). Not remotely triggerable. |\n| **Attack Complexity (AC)** | H \u2014 High | All of the following must be true: Linux runtime; kernel \u003c 6.7 (no Landlock ABI v4); `sandboxed_exec()` used; capability set calls `proxy_only()`; child actively bypasses proxy env vars or uses raw sockets. |\n| **Privileges Required (PR)** | L \u2014 Low | Attacker is already executing code inside the sandbox \u2014 some user-level privilege is required to get there. |\n| **User Interaction (UI)** | N \u2014 None | No action from a user or operator is needed once the sandboxed child is running. |\n| **Scope (S)** | C \u2014 Changed | The exploit crosses the sandbox security boundary, allowing the child to reach network resources outside the defined policy scope. |\n| **Confidentiality (C)** | H \u2014 High | Highest-impact path: direct TCP to cloud metadata endpoint (169.254.169.254) yields IAM / task credentials. |\n| **Integrity (I)** | L \u2014 Low | Attacker can make arbitrary outbound requests; no direct data modification from the bypass itself, but lateral credential use creates indirect risk. |\n| **Availability (A)** | N \u2014 None | No denial-of-service impact described or implied. |\n\n---",
  "id": "GHSA-72w7-mf9g-733p",
  "modified": "2026-06-26T20:33:48Z",
  "published": "2026-06-26T20:33:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/always-further/nono-py/security/advisories/GHSA-72w7-mf9g-733p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nolabs-ai/nono-py/commit/3e67dfa11cbe9514f315fdd36473680c318816d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/always-further/nono-py"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nono-py has proxy-only network fallback bypass on older Linux kernels"
}

GHSA-743G-PFWQ-R4WV

Vulnerability from github – Published: 2024-08-08 18:31 – Updated: 2024-08-08 18:31
VLAI
Details

NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-08T17:15:17Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service.",
  "id": "GHSA-743g-pfwq-r4wv",
  "modified": "2024-08-08T18:31:20Z",
  "published": "2024-08-08T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0101"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75HH-423H-RVWG

Vulnerability from github – Published: 2026-04-21 21:31 – Updated: 2026-04-21 21:31
VLAI
Details

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T21:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).",
  "id": "GHSA-75hh-423h-rvwg",
  "modified": "2026-04-21T21:31:24Z",
  "published": "2026-04-21T21:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22013"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76H8-9Q54-37CC

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2026-02-17 00:30
VLAI
Details

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T18:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-76h8-9q54-37cc",
  "modified": "2026-02-17T00:30:18Z",
  "published": "2025-04-08T18:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26637"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26637"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Feb/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76MC-F452-CXCM

Vulnerability from github – Published: 2026-06-15 19:59 – Updated: 2026-06-15 19:59
VLAI
Summary
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Details

Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR

CWE: CWE-501 (Trust Boundary Violation — hook-scoped mutation leaks to global default sets) via CWE-693 (Protection Mechanism Failure — the default allow-list is silently widened for all subsequent sanitize calls)

Summary

The data.allowedTags and data.allowedAttributes fields passed to uponSanitizeElement and uponSanitizeAttribute hooks are direct references to the library's live ALLOWED_TAGS / ALLOWED_ATTR sets. For sanitize calls that don't supply an explicit cfg.ALLOWED_TAGS / cfg.ALLOWED_ATTR array, those live sets are themselves direct references to the module-level DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR constants. A hook that mutates these fields — a natural-looking pattern for "allow X for this iteration" — permanently writes new entries into the default constants for the DOMPurify instance's lifetime. Every subsequent sanitize call that doesn't override the config inherits the widened defaults, so an attacker payload that uses the poisoned tag/attribute name survives sanitization. removeAllHooks(), clearConfig(), and even passing a fresh cfg: {} do not recover; only constructing a new DOMPurify instance does.

The maintainer's existing defense at src/purify.ts:696-700 explicitly clones DEFAULT_ALLOWED_TAGS before mutating it via cfg.ADD_TAGS (array form), demonstrating awareness of this exact class. The hook path remained uncovered.

Affected

  • DOMPurify ≤ 3.4.5, including main at 7996f1dc78eb8b7922388aed75d94a9f8fad9a36
  • Any application that installs a hook on uponSanitizeElement or uponSanitizeAttribute that writes to data.allowedTags[...] = true or data.allowedAttributes[...] = true and later sanitizes attacker-influenced content with default config (no explicit cfg.ALLOWED_TAGS / cfg.ALLOWED_ATTR array)

Vulnerability details

[A] — data.allowedTags is a reference to ALLOWED_TAGS

src/purify.ts:1206-1209:

_executeHooks(hooks.uponSanitizeElement, currentNode, {
  tagName,
  allowedTags: ALLOWED_TAGS,         // [A] direct reference; hook mutation
                                      //     mutates the very ALLOWED_TAGS the
                                      //     library checks on the next element
});

src/purify.ts:1494-1500 (the matching attribute hook):

const hookEvent = {
  attrName: '',
  attrValue: '',
  keepAttr: true,
  allowedAttributes: ALLOWED_ATTR,    // [A'] same pattern
  forceKeepAttr: undefined,
};

[B] — ALLOWED_TAGS = DEFAULT_ALLOWED_TAGS for default-cfg sanitize calls

src/purify.ts:527-531:

ALLOWED_TAGS =
  objectHasOwnProperty(cfg, 'ALLOWED_TAGS') &&
  arrayIsArray(cfg.ALLOWED_TAGS)
    ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc)
    : DEFAULT_ALLOWED_TAGS;            // [B] reference assignment; ALLOWED_TAGS
                                       //     IS the DEFAULT_ALLOWED_TAGS object

(The ALLOWED_ATTR = DEFAULT_ALLOWED_ATTR path at :532-536 is symmetric.)

The mismatch

A hook author who writes data.allowedTags['script'] = true reasonably expects per-call scope — the API name is "data", suggesting per-event payload. But [A] makes this a direct reference, and [B] makes that reference equal to the module-level default for the common default-cfg path. The hook's mutation therefore writes to a constant that every subsequent default-cfg sanitize call rebinds to.

The maintainer already recognized this class for the ADD_TAGS array path — src/purify.ts:696-700:

} else if (arrayIsArray(cfg.ADD_TAGS)) {
  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
    ALLOWED_TAGS = clone(ALLOWED_TAGS);   // explicitly clone DEFAULT before
                                          // mutating to avoid this pollution
  }
  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
}

The same defensive clone is missing from the hook code paths.

Proof of concept

// 1) fresh DOMPurify, default config — script is blocked
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"

// 2) install a hook that mutates data.allowedTags (natural-looking pattern)
DOMPurify.addHook('uponSanitizeElement', (node, data) => {
  data.allowedTags['script'] = true;
});

// 3) one sanitize call WITH the hook — script survives (expected during the hook)
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"

// 4) remove the hook
DOMPurify.removeAllHooks();
DOMPurify.clearConfig();

// 5) sanitize attacker content with default config — POLLUTION PERSISTS
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"  ← script survived without any hook

// 6) the only recovery: create a fresh DOMPurify instance
const fresh = DOMPurify(window);
fresh.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"  ← clean

Observed (Chromium 148.0.7778.96, DOMPurify HEAD 7996f1d):

step input output bypass?
1 fresh baseline <svg><script>__</script></svg> <svg></svg> no
1b fresh baseline <a onclick=__>x</a> <a>x</a> no
2 with hook (script) <svg><script>__</script></svg> <svg><script>__</script></svg> yes (expected)
2b with hook (onclick) <a onclick=__>x</a> <a onclick="__">x</a> yes (expected)
3 after removeAllHooks() same <svg><script>__</script></svg> YES (pollution)
3b after removeAllHooks() same <a onclick="__">x</a> YES (pollution)
4 after clearConfig() same <svg><script>__</script></svg> YES
4b after clearConfig() same <a onclick="__">x</a> YES
5 explicit restrictive cfg.ALLOWED_TAGS=['svg'] same <svg></svg> no (cloned set)
6 back to no cfg same <svg><script>__</script></svg> YES
6b back to no cfg same <a onclick="__">x</a> YES
7 fresh DOMPurify(window) instance same <svg></svg> no
7b fresh instance <a onclick=__>x</a> <a>x</a> no

Impact

Direct

Any application using DOMPurify that has any registered hook with the pattern data.allowedTags[...] = true or data.allowedAttributes[...] = true. The hook need not be designed to be permissive — it might be intended to temporarily allow a custom tag for one specific element shape. After the hook has executed even once, every subsequent default-config sanitize call carries the widened defaults, including:

  • attacker content rendered via separate code paths (e.g., the same library serving a comments section and a profile bio, where the bio uses the hook and the comments use plain DOMPurify.sanitize(text))
  • third-party libraries that call DOMPurify.sanitize on the same instance

The bypass survives DOMPurify.removeAllHooks() and DOMPurify.clearConfig() — the obvious "reset" calls a dev would reach for. Detection requires reading the DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR sets directly, which are not part of the public API.

Indirect / second-order

  • Editor / preview libraries that compose with DOMPurify — if any consumer registers a hook that mutates data.allowedTags, every other consumer's sanitize calls inherit the widening.
  • Test suites that exercise multiple sanitize configurations — once a test's hook pollutes the defaults, later tests that assume default behavior may pass with widened defaults and miss real regressions.
  • Long-running servers (SSR, edge functions) that reuse a single DOMPurify instance — pollution accumulates over the process lifetime.

Why the existing maintainer defense for ADD_TAGS doesn't catch this

src/purify.ts:696-700 already documents awareness:

} else if (arrayIsArray(cfg.ADD_TAGS)) {
  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
    ALLOWED_TAGS = clone(ALLOWED_TAGS);
  }
  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
}

The clone-before-mutate pattern is exactly what's needed at the hook callsites (:1206-1209 and :1494-1500) but was not extended there. The new entries this report's bypass adds to the defaults survive the same way ADD_TAGS array entries would have survived before that fix landed.

Suggested fix

Three minimal-impact options, in order of preference:

  1. Hand the hook a defensive copy (most surgical):

ts _executeHooks(hooks.uponSanitizeElement, currentNode, { tagName, allowedTags: { ...ALLOWED_TAGS }, // shallow copy; mutations stay scoped });

Doc note: "data.allowedTags is a snapshot; to widen the live set, use cfg.ADD_TAGS or set the value to true in the snapshot and check the snapshot from a subsequent attribute hook." Hooks that read it for inspection still work; hooks that intended cross-call mutation must be rewritten to use a proper config path (which is the correct API anyway).

  1. Clone-on-write inside the hook path, mirroring the existing ADD_TAGS defense at :696-700: detect that ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS after the hook returns, and if so, replace it with a clone for subsequent processing. This preserves the live-mutation semantics for in-call effects while preventing cross-call leakage.

  2. Lazy-clone ALLOWED_TAGS/ALLOWED_ATTR from defaults on first mutation: install a Proxy or accessor that triggers a clone before mutation. Largest surface area, but bulletproof.

Option (1) is the cleanest API contract: hook event objects should be event-local, never references to library-internal state.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-501",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T19:59:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`\n\n**CWE**: CWE-501 (Trust Boundary Violation \u2014 hook-scoped mutation leaks to global default sets) via CWE-693 (Protection Mechanism Failure \u2014 the default allow-list is silently widened for all subsequent sanitize calls)\n\n## Summary\n\nThe `data.allowedTags` and `data.allowedAttributes` fields passed to `uponSanitizeElement` and `uponSanitizeAttribute` hooks are **direct references** to the library\u0027s live `ALLOWED_TAGS` / `ALLOWED_ATTR` sets. For sanitize calls that don\u0027t supply an explicit `cfg.ALLOWED_TAGS` / `cfg.ALLOWED_ATTR` array, those live sets are themselves direct references to the module-level `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` constants. A hook that mutates these fields \u2014 a natural-looking pattern for \"allow `X` for this iteration\" \u2014 permanently writes new entries into the default constants for the DOMPurify instance\u0027s lifetime. Every subsequent sanitize call that doesn\u0027t override the config inherits the widened defaults, so an attacker payload that uses the poisoned tag/attribute name survives sanitization. `removeAllHooks()`, `clearConfig()`, and even passing a fresh `cfg: {}` do not recover; only constructing a new DOMPurify instance does.\n\nThe maintainer\u0027s existing defense at `src/purify.ts:696-700` explicitly clones `DEFAULT_ALLOWED_TAGS` before mutating it via `cfg.ADD_TAGS` (array form), demonstrating awareness of this exact class. The hook path remained uncovered.\n\n## Affected\n\n- DOMPurify \u2264 3.4.5, including `main` at `7996f1dc78eb8b7922388aed75d94a9f8fad9a36`\n- Any application that installs a hook on `uponSanitizeElement` or `uponSanitizeAttribute` that writes to `data.allowedTags[...] = true` or `data.allowedAttributes[...] = true` and later sanitizes attacker-influenced content with default config (no explicit `cfg.ALLOWED_TAGS` / `cfg.ALLOWED_ATTR` array)\n\n## Vulnerability details\n\n### [A] \u2014 `data.allowedTags` is a reference to `ALLOWED_TAGS`\n\n`src/purify.ts:1206-1209`:\n\n```ts\n_executeHooks(hooks.uponSanitizeElement, currentNode, {\n  tagName,\n  allowedTags: ALLOWED_TAGS,         // [A] direct reference; hook mutation\n                                      //     mutates the very ALLOWED_TAGS the\n                                      //     library checks on the next element\n});\n```\n\n`src/purify.ts:1494-1500` (the matching attribute hook):\n\n```ts\nconst hookEvent = {\n  attrName: \u0027\u0027,\n  attrValue: \u0027\u0027,\n  keepAttr: true,\n  allowedAttributes: ALLOWED_ATTR,    // [A\u0027] same pattern\n  forceKeepAttr: undefined,\n};\n```\n\n### [B] \u2014 `ALLOWED_TAGS = DEFAULT_ALLOWED_TAGS` for default-cfg sanitize calls\n\n`src/purify.ts:527-531`:\n\n```ts\nALLOWED_TAGS =\n  objectHasOwnProperty(cfg, \u0027ALLOWED_TAGS\u0027) \u0026\u0026\n  arrayIsArray(cfg.ALLOWED_TAGS)\n    ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc)\n    : DEFAULT_ALLOWED_TAGS;            // [B] reference assignment; ALLOWED_TAGS\n                                       //     IS the DEFAULT_ALLOWED_TAGS object\n```\n\n(The `ALLOWED_ATTR = DEFAULT_ALLOWED_ATTR` path at `:532-536` is symmetric.)\n\n### The mismatch\n\nA hook author who writes `data.allowedTags[\u0027script\u0027] = true` reasonably expects per-call scope \u2014 the API name is *\"data\"*, suggesting per-event payload. But [A] makes this a direct reference, and [B] makes that reference equal to the module-level default for the common default-cfg path. The hook\u0027s mutation therefore writes to a *constant* that every subsequent default-cfg sanitize call rebinds to.\n\nThe maintainer already recognized this class for the `ADD_TAGS` array path \u2014 `src/purify.ts:696-700`:\n\n```ts\n} else if (arrayIsArray(cfg.ADD_TAGS)) {\n  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {\n    ALLOWED_TAGS = clone(ALLOWED_TAGS);   // explicitly clone DEFAULT before\n                                          // mutating to avoid this pollution\n  }\n  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);\n}\n```\n\nThe same defensive clone is missing from the hook code paths.\n\n## Proof of concept\n\n```js\n// 1) fresh DOMPurify, default config \u2014 script is blocked\nDOMPurify.sanitize(\u0027\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\u0027);\n// \u2192 \"\u003csvg\u003e\u003c/svg\u003e\"\n\n// 2) install a hook that mutates data.allowedTags (natural-looking pattern)\nDOMPurify.addHook(\u0027uponSanitizeElement\u0027, (node, data) =\u003e {\n  data.allowedTags[\u0027script\u0027] = true;\n});\n\n// 3) one sanitize call WITH the hook \u2014 script survives (expected during the hook)\nDOMPurify.sanitize(\u0027\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\u0027);\n// \u2192 \"\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\"\n\n// 4) remove the hook\nDOMPurify.removeAllHooks();\nDOMPurify.clearConfig();\n\n// 5) sanitize attacker content with default config \u2014 POLLUTION PERSISTS\nDOMPurify.sanitize(\u0027\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\u0027);\n// \u2192 \"\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\"  \u2190 script survived without any hook\n\n// 6) the only recovery: create a fresh DOMPurify instance\nconst fresh = DOMPurify(window);\nfresh.sanitize(\u0027\u003csvg\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\u0027);\n// \u2192 \"\u003csvg\u003e\u003c/svg\u003e\"  \u2190 clean\n```\n\nObserved (Chromium 148.0.7778.96, DOMPurify HEAD `7996f1d`):\n\n| step | input | output | bypass? |\n|---|---|---|---|\n| 1 fresh baseline | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | `\u003csvg\u003e\u003c/svg\u003e` | no |\n| 1b fresh baseline | `\u003ca onclick=__\u003ex\u003c/a\u003e` | `\u003ca\u003ex\u003c/a\u003e` | no |\n| 2 with hook (script) | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | yes (expected) |\n| 2b with hook (onclick) | `\u003ca onclick=__\u003ex\u003c/a\u003e` | `\u003ca onclick=\"__\"\u003ex\u003c/a\u003e` | yes (expected) |\n| 3 after `removeAllHooks()` | same | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | **YES (pollution)** |\n| 3b after `removeAllHooks()` | same | `\u003ca onclick=\"__\"\u003ex\u003c/a\u003e` | **YES (pollution)** |\n| 4 after `clearConfig()` | same | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | **YES** |\n| 4b after `clearConfig()` | same | `\u003ca onclick=\"__\"\u003ex\u003c/a\u003e` | **YES** |\n| 5 explicit restrictive `cfg.ALLOWED_TAGS=[\u0027svg\u0027]` | same | `\u003csvg\u003e\u003c/svg\u003e` | no (cloned set) |\n| 6 back to no cfg | same | `\u003csvg\u003e\u003cscript\u003e__\u003c/script\u003e\u003c/svg\u003e` | **YES** |\n| 6b back to no cfg | same | `\u003ca onclick=\"__\"\u003ex\u003c/a\u003e` | **YES** |\n| 7 fresh `DOMPurify(window)` instance | same | `\u003csvg\u003e\u003c/svg\u003e` | no |\n| 7b fresh instance | `\u003ca onclick=__\u003ex\u003c/a\u003e` | `\u003ca\u003ex\u003c/a\u003e` | no |\n\n## Impact\n\n### Direct\n\nAny application using `DOMPurify` that has any registered hook with the pattern `data.allowedTags[...] = true` or `data.allowedAttributes[...] = true`. The hook need not be designed to be permissive \u2014 it might be intended to *temporarily* allow a custom tag for one specific element shape. After the hook has executed even once, every subsequent default-config sanitize call carries the widened defaults, including:\n\n- attacker content rendered via separate code paths (e.g., the same library serving a comments section and a profile bio, where the bio uses the hook and the comments use plain `DOMPurify.sanitize(text)`)\n- third-party libraries that call `DOMPurify.sanitize` on the same instance\n\nThe bypass survives `DOMPurify.removeAllHooks()` and `DOMPurify.clearConfig()` \u2014 the obvious \"reset\" calls a dev would reach for. Detection requires reading the `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` sets directly, which are not part of the public API.\n\n### Indirect / second-order\n\n- **Editor / preview libraries** that compose with DOMPurify \u2014 if any consumer registers a hook that mutates `data.allowedTags`, every other consumer\u0027s sanitize calls inherit the widening.\n- **Test suites** that exercise multiple sanitize configurations \u2014 once a test\u0027s hook pollutes the defaults, later tests that assume default behavior may pass with widened defaults and miss real regressions.\n- **Long-running servers** (SSR, edge functions) that reuse a single DOMPurify instance \u2014 pollution accumulates over the process lifetime.\n\n### Why the existing maintainer defense for `ADD_TAGS` doesn\u0027t catch this\n\n`src/purify.ts:696-700` already documents awareness:\n\n```ts\n} else if (arrayIsArray(cfg.ADD_TAGS)) {\n  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {\n    ALLOWED_TAGS = clone(ALLOWED_TAGS);\n  }\n  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);\n}\n```\n\nThe clone-before-mutate pattern is exactly what\u0027s needed at the hook callsites (`:1206-1209` and `:1494-1500`) but was not extended there. The new entries this report\u0027s bypass adds to the defaults survive the same way `ADD_TAGS` array entries would have survived before that fix landed.\n\n## Suggested fix\n\nThree minimal-impact options, in order of preference:\n\n1. **Hand the hook a defensive copy** (most surgical):\n\n   ```ts\n   _executeHooks(hooks.uponSanitizeElement, currentNode, {\n     tagName,\n     allowedTags: { ...ALLOWED_TAGS },     // shallow copy; mutations stay scoped\n   });\n   ```\n\n   Doc note: \"`data.allowedTags` is a snapshot; to widen the live set, use `cfg.ADD_TAGS` or set the value to true in the snapshot and check the snapshot from a subsequent attribute hook.\" Hooks that read it for inspection still work; hooks that intended cross-call mutation must be rewritten to use a proper config path (which is the correct API anyway).\n\n2. **Clone-on-write inside the hook path**, mirroring the existing `ADD_TAGS` defense at `:696-700`: detect that `ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS` after the hook returns, and if so, replace it with a clone for subsequent processing. This preserves the live-mutation semantics for in-call effects while preventing cross-call leakage.\n\n3. **Lazy-clone `ALLOWED_TAGS`/`ALLOWED_ATTR` from defaults on first mutation**: install a Proxy or accessor that triggers a clone before mutation. Largest surface area, but bulletproof.\n\nOption (1) is the cleanest API contract: hook event objects should be event-local, never references to library-internal state.",
  "id": "GHSA-76mc-f452-cxcm",
  "modified": "2026-06-15T19:59:09Z",
  "published": "2026-06-15T19:59:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-76mc-f452-cxcm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cure53/DOMPurify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`"
}

No mitigation information available for this CWE.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-107: Cross Site Tracing

Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-237: Escaping a Sandbox by Calling Code in Another Language

The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.

CAPEC-36: Using Unpublished Interfaces or Functionality

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content

An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

CAPEC-480: Escaping Virtualization

An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.

CAPEC-51: Poison Web Service Registry

SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-65: Sniff Application Code

An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)

An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

CAPEC-74: Manipulating State

The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.

State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.

If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

CAPEC-87: Forceful Browsing

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.