Upstream released a new version. Changelog mentions: "- Fixed bugs #61824,61912,61956,62190,62230 ext/DOM memory corruption (cschneid)" Memory corruption can be security-relevant, but there's no further info to verify that, so I'm not opening a security bug yet.
I can bump to this version, but it would be p.masked. Upstream (Rasmus) still recommends not using this for production so unless one wants to help out with testing/bugfixing, one should stay away from these beta versions.
3.1.10 is in tree and not masked (though depends if you mean ~-"masked" or p.masked). 3.1.11 should be better than 3.1.10 at least.
Hm. True that. It should have been p.masked :) But apparently this is not bothering anyone, so I just bumped it.