CVE-2025-26791
Cross-site Scripting (XSS) vulnerability in dompurify (npm)
What is CVE-2025-26791 About?
DOMPurify before 3.2.4 has an incorrect template literal regular expression when `SAFE_FOR_TEMPLATES` is set to true, leading to mutation cross-site scripting (mXSS). This allows attackers to inject malicious content into web pages via manipulated templates. Exploitation can be easy if an application uses the vulnerable configuration, potentially leading to client-side code execution.
Affected Software
Technical Details
This vulnerability in DOMPurify, affecting versions prior to 3.2.4, arises when the SAFE_FOR_TEMPLATES option is set to true. In this configuration, an incorrect regular expression used for parsing template literals fails to adequately sanitize or escape certain input. This flaw enables mutation cross-site scripting (mXSS), where an attacker can craft malicious HTML or SVG content that, after initial sanitization by DOMPurify (which might appear benign), is re-parsed by the browser's HTML engine. During this re-parsing, the browser interprets the previously 'sanitized' content in a way that executes the attacker's embedded script, leading to client-side code execution in the victim's browser context.
What is the Impact of CVE-2025-26791?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, steal session cookies, deface web pages, redirect users to malicious sites, or launch phishing attacks.
What is the Exploitability of CVE-2025-26791?
Exploitation of this mXSS vulnerability requires an attacker to provide malicious content that will be sanitized by DOMPurify with SAFE_FOR_TEMPLATES set to true, and then subsequently rendered by a user's browser. The complexity is moderate, as it requires crafting input that bypasses the initial sanitization and gets re-interpreted maliciously by the browser. No authentication is typically needed for the victim to view the malicious content. The attack is remote and targets the client-side browser. Prerequisites include the web application using a vulnerable version of DOMPurify with the specific SAFE_FOR_TEMPLATES setting and accepting user-controlled input that can be embedded into an HTML context. Risk factors include web applications that handle and display user-generated HTML content, such as forums or chat applications, and rely on DOMPurify for sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-26791?
About the Fix from Resolved Security
The patch fixes CVE-2025-26791 by tightening the regular expression for detecting JavaScript template literals, ensuring that unclosed ${... sequences without a closing } are also detected and sanitized when SAFE_FOR_TEMPLATES is enabled. This prevents attackers from bypassing sanitization by leaving template expressions unclosed, which could lead to injection vulnerabilities. The patch also adds a check for window.Element to detect unsupported environments more reliably.
Available Upgrade Options
- dompurify
- <3.2.4 → Upgrade to 3.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nsysean.github.io/posts/dompurify-323-bypass
- https://osv.dev/vulnerability/GHSA-vhxf-7vqr-mrjg
- https://ensy.zip/posts/dompurify-323-bypass
- https://nvd.nist.gov/vuln/detail/CVE-2025-26791
- https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
- https://github.com/cure53/DOMPurify
- https://nsysean.github.io/posts/dompurify-323-bypass/
- https://github.com/cure53/DOMPurify/releases/tag/3.2.4
- https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
- https://github.com/cure53/DOMPurify/releases/tag/3.2.4
What are Similar Vulnerabilities to CVE-2025-26791?
Similar Vulnerabilities: CVE-2022-35914 , CVE-2023-38545 , CVE-2023-22874 , CVE-2022-42969 , CVE-2022-31129
