Login Sign Up

CVE-2025-26791

4.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

DOMPurify versions before 3.2.4 contain a regular expression flaw in template literal handling that can allow mutation cross-site scripting (mXSS) attacks. This vulnerability enables attackers to bypass HTML sanitization and inject malicious scripts that execute when the sanitized content is parsed by browsers. Any web application using vulnerable DOMPurify versions for user input sanitization is affected.

💻 Affected Systems

Products:
  • DOMPurify
Versions: All versions before 3.2.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using DOMPurify's default configuration with template literal handling enabled.

📦 What is this software?

Dompurify by Cure53

View all CVEs affecting Dompurify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, leading to session hijacking, credential theft, defacement, or malware delivery.

🟠

Likely Case

Targeted mXSS attacks against users of vulnerable applications, potentially stealing sensitive data or performing actions on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper input validation layers and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Multiple public proof-of-concept demonstrations exist showing mXSS bypass techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.4

Vendor Advisory: https://github.com/cure53/DOMPurify/releases/tag/3.2.4

Restart Required: No

Instructions:

1. Update DOMPurify dependency to version 3.2.4 or later. 2. For npm: run 'npm update dompurify'. 3. For yarn: run 'yarn upgrade dompurify'. 4. Verify the updated version is correctly deployed.

🔧 Temporary Workarounds

Disable template literal handling

all

Configure DOMPurify to disable template literal parsing if not required

const clean = DOMPurify.sanitize(dirty, {USE_TEMPLATE_LITERALS: false});

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate script execution
  • Add additional input validation layers before DOMPurify processing

🔍 How to Verify

Check if Vulnerable:

Check package.json or lock files for DOMPurify version <3.2.4

Check Version:

npm list dompurify | grep dompurify

Verify Fix Applied:

Verify DOMPurify version is 3.2.4 or higher in package.json and running application

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML input patterns with template literals
  • Increased sanitization errors

Network Indicators:

  • Suspicious HTML payloads containing template literal patterns

SIEM Query:

source="web_logs" AND (message="template" OR message="literal") AND status=200

📊 Metadata

CVE ID: CVE-2025-26791
CVSS v3 Score: 4.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (15.6th percentile)
Published: February 14, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26791, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)