CVE-2025-15599Cross-site Scripting in Dompurify

CWE-79Cross-site Scripting8 documents7 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 90.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cure53 Dompurify
Timeline
PublishedMar 3

Description

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

NVDcure53/dompurify3.1.33.2.7+1
npmcure53/dompurify3.1.33.2.7+1
CVEListV5cure53/dompurify3.1.33.2.6+1

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
DOMPurify contains a Cross-site Scripting vulnerability2026-03-03
OSV
CVE-2025-15599: DOMPurify 32026-03-03
OSV
DOMPurify contains a Cross-site Scripting vulnerability2026-03-03
CVEList
DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML2026-03-03

📋Vendor Advisories

2
Red Hat
DOMPurify: DOMPurify: Cross-site scripting2026-03-03
Debian
CVE-2025-15599: node-dompurify - DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scrip...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-15599 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-15599 — Cross-site Scripting in Dompurify | cvebase