CVE-2025-15599
cross-site scripting vulnerability in dompurify (npm)
What is CVE-2025-15599 About?
This is a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization in DOMPurify. Successful exploitation can lead to arbitrary JavaScript execution within the victim's browser, potentially compromising user data and session integrity. The vulnerability leverages a flaw in rawtext element validation and is relatively easy to exploit under specific conditions.
Affected Software
- dompurify
- >=2.5.3, <=2.5.8
- >=3.1.3, <3.2.7
Technical Details
The vulnerability in DOMPurify (versions 3.1.3-3.2.6 and 2.5.3-2.5.8) stems from insufficient validation of rawtext elements, specifically textareas, within the SAFE_FOR_XML regex during attribute sanitization. Attackers can inject closing rawtext tags, such as '</textarea>', into attribute values. When the sanitized output, containing this crafted attribute, is subsequently placed within a rawtext element in the rendered HTML, the injected closing tag can break out of the intended rawtext context. This escape allows for the execution of arbitrary JavaScript code, as the browser then interprets the subsequent characters as executable script rather than raw text.
What is the Impact of CVE-2025-15599?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, sensitive data disclosure, or redirection to malicious sites.
What is the Exploitability of CVE-2025-15599?
Exploitation of this vulnerability requires an attacker to be able to supply malicious input that is processed by DOMPurify and subsequently rendered within a rawtext element on a webpage. There is no specific authentication or privilege requirement beyond the ability to submit data to the vulnerable application. The complexity is moderate, requiring an understanding of HTML parsing and sanitization bypass techniques. Remote exploitation is possible if the vulnerable application processes and renders user-supplied input without proper sanitization. A key constraint is the necessity for the sanitized output to be placed within a rawtext element for the payload to successfully break out of context. The risk factors increasing exploitation likelihood include applications that extensively use DOMPurify for user-generated content and then place this content inside elements like textareas.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-15599?
Available Upgrade Options
- dompurify
- >=3.1.3, <3.2.7 → Upgrade to 3.2.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/cure53/DOMPurify
- https://osv.dev/vulnerability/GHSA-v8jm-5vwx-cfxm
- https://nvd.nist.gov/vuln/detail/CVE-2025-15599
- https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
- https://github.com/cure53/DOMPurify
- https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
- https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safeforxml
- https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml
- https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml
What are Similar Vulnerabilities to CVE-2025-15599?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38544 , CVE-2023-38543 , CVE-2023-34035 , CVE-2023-32009
