Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-15599 is a cross-site scripting (XSS) vulnerability in DOMPurify versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8. The issue arises because DOMPurify's sanitization process fails to properly validate textarea rawtext elements in its SAFE_FOR_XML regular expression. Attackers can exploit this by including closing rawtext tags like </textarea> inside attribute values, which breaks out of the rawtext context and allows execution of arbitrary JavaScript when the sanitized output is placed inside rawtext elements."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in the 3.x branch starting from version 3.2.7, but the 2.x branch was never patched. The fix involved tightening the regular expression to detect and remove unsafe HTML attribute values containing certain tags that could be exploited to bypass sanitization.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of your web application by bypassing DOMPurify's sanitization. This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized actions such as stealing user credentials, session hijacking, defacing web content, or delivering malicious payloads to users."}, {'type': 'paragraph', 'content': 'Because the vulnerability specifically involves breaking out of rawtext contexts inside textarea elements, any application that uses vulnerable versions of DOMPurify to sanitize user input that is later rendered inside such elements is at risk.'}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects DOMPurify versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8. Detection involves identifying if these vulnerable versions of DOMPurify are in use within your environment.

Since DOMPurify is a JavaScript library used in browsers or Node.js environments, detection can be done by checking the version of DOMPurify loaded in your web applications or server-side code.

Suggested commands or methods include:

• For Node.js projects, run `npm list dompurify` or `yarn list dompurify` to check the installed version.
• In browser environments, inspect the loaded DOMPurify version by opening developer tools console and running `DOMPurify.version` if accessible.
• Search your codebase for references to DOMPurify and verify the version in package.json or equivalent dependency files.

There are no specific network commands or signatures provided to detect exploitation attempts of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade DOMPurify to a fixed version.

• For the 3.x branch, upgrade to version 3.2.7 or later, which contains the fix for this vulnerability.
• For the 2.x branch, since it was never patched, upgrade to the latest 3.x version if possible.

Additionally, ensure that any server-side DOM implementations like jsdom are updated to their latest secure versions, as outdated jsdom versions can introduce XSS risks even when using DOMPurify.

Avoid modifying sanitized HTML after purification, as this can void security guarantees.

Review and avoid unsafe custom configurations that disable safe XML mode or otherwise weaken sanitization.

Useful 0 Not Useful 0