Upgrade `dompurify` to version `3.2.6` in order to patch `CVE-2025-48050` vulnerability

[zeraye]

There is vulnerability CVE-2025-48050 with CVSS v3 score of 7.5 (High), see on nvd.nist.gov site. Upgrade to dompurify version 3.2.6 would patch this issue. It's not as easy as bumping version, because some tests fail after upgrade. Order of attributes have changed, so tests fail with issues like:

- <div class=\"renderedMarkdown\"><p><img title=\"Image title\" alt=\"Image alt text\" src=\"http://image.source\"></p></div>
+ <div class=\"renderedMarkdown\"><p><img src=\"http://image.source\" alt=\"Image alt text\" title=\"Image title\"></p></div>

Not sure if any users rely on attribute order. If it's just about fixing tests, I can send a PR to update them and upgrade dompurify.

[marvingreeven]

Any updates on this issue?

[zeraye]

@marvingreeven My bad - I should've left comment. I haven't managed to upgrade dompurify in swagger-ui, but:

CVE-2025-48050 has currently Disputed status with note:

The Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started.

According to the DOMPurify owners cure53 group:

Not a vulnerability, the CVE was created by the "finder" without any coordination and should be deleted. source

It's an invalid finding, the CVE was revoked last week. source

Note: cure53 group members are security analysis experts with multiple reports and academic papers.

So in theory you could recalculate CVSS internally to 0. It seems like this CVE was never valid and don't have to be fixed.

It would be nice though, to upgrade dompurify just to make automatic scans pass tests. Even if it's not exploitable.

[teivanov]

I also think that it would be nice to upgrade dompurify. Is there any reason that its version is set to =3.2.4 in package.json?

[robert-hebel-sb]

addressed in: #10572