CVE-2025-15599
📋 TL;DR
This CVE describes a cross-site scripting vulnerability in DOMPurify that allows attackers to bypass HTML sanitization by injecting malicious closing tags like </textarea> into attribute values. When sanitized output is placed inside rawtext elements, this can lead to JavaScript execution. Users of DOMPurify versions 3.1.3-3.2.6 and 2.5.3-2.5.8 are affected.
💻 Affected Systems
- DOMPurify
📦 What is this software?
Dompurify by Cure53
Dompurify by Cure53
⚠️ Risk & Real-World Impact
Worst Case
Attackers can execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or complete account compromise.
Likely Case
Cross-site scripting attacks that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
Limited impact if proper Content Security Policies are implemented and user input is further validated beyond DOMPurify.
🎯 Exploit Status
Exploit requires user interaction (visiting malicious page) but the bypass technique is simple and public.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.7 for 3.x branch (2.x branch was never patched)
Vendor Advisory: https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
Restart Required: No
Instructions:
1. Update DOMPurify to version 3.2.7 or later. 2. For 2.x branch users, migrate to 3.x branch and update to 3.2.7+. 3. Test that sanitization works correctly with your specific use cases.
🔧 Temporary Workarounds
Disable SAFE_FOR_XML mode
allAvoid using SAFE_FOR_XML configuration option if not required for your use case.
DOMPurify.sanitize(input, {SAFE_FOR_XML: false})
Additional input validation
allImplement custom validation to reject input containing rawtext closing tags in attribute values.
// JavaScript regex to detect problematic patterns
const dangerousPattern = /<\/textarea[^>]*>/i;
if (dangerousPattern.test(userInput)) {
// Reject or sanitize further
}
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate impact of successful XSS
- Use additional output encoding specific to your context (HTML, JavaScript, URL encoding)
🔍 How to Verify
Check if Vulnerable:
Check package.json or DOMPurify version in your application. Test with payload: <textarea><img src=x onerror=alert(1)></textarea> in SAFE_FOR_XML mode.Check Version:
npm list dompurify (for Node.js) or check browser developer tools for loaded DOMPurify versionVerify Fix Applied:
After updating, test that the same payload no longer executes JavaScript and is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests containing </textarea> patterns in parameters
- Error logs showing sanitization failures
Network Indicators:
- HTTP requests with suspicious attribute values containing rawtext closing tags
SIEM Query:
web_requests WHERE url_parameters CONTAINS '</textarea' OR request_body CONTAINS '</textarea'