CVE-2025-15599 Overview
CVE-2025-15599 is a cross-site scripting (XSS) vulnerability affecting DOMPurify, a popular DOM-only XSS sanitizer library for HTML, MathML, and SVG. The vulnerability exists in versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8, allowing attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. This flaw enables malicious actors to include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers by bypassing DOMPurify's XSS sanitization, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of users.
Affected Products
- Cure53 DOMPurify versions 3.1.3 through 3.2.6
- Cure53 DOMPurify versions 2.5.3 through 2.5.8
- Applications using vulnerable DOMPurify versions for HTML sanitization
Discovery Timeline
- 2026-03-03 - CVE-2025-15599 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-15599
Vulnerability Analysis
This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw stems from an incomplete regex pattern in DOMPurify's SAFE_FOR_XML sanitization logic that fails to account for textarea rawtext element contexts.
When DOMPurify processes HTML content, it applies various sanitization rules to strip potentially dangerous elements and attributes. However, the vulnerability allows attackers to craft malicious input containing closing rawtext tags (such as </textarea>) within attribute values. When this sanitized content is subsequently placed inside rawtext elements by the application, the closing tag breaks out of the intended context, allowing the attacker to inject and execute arbitrary JavaScript code.
The 3.x branch has been patched in version 3.2.7, while the 2.x branch remains unpatched, affecting all vulnerable 2.x versions indefinitely.
Root Cause
The root cause is a missing validation check for textarea rawtext elements in DOMPurify's SAFE_FOR_XML regex pattern. The sanitization logic did not properly escape or reject closing rawtext tags (like </textarea>) when they appeared within attribute values. This oversight allows crafted payloads to persist through the sanitization process and later break out of their intended context when rendered.
Attack Vector
The attack is network-based and requires user interaction, as it exploits standard XSS attack patterns. An attacker can exploit this vulnerability through the following approach:
- The attacker crafts malicious HTML input containing a closing rawtext tag (e.g., </textarea>) embedded within an attribute value
- The victim application passes this input through DOMPurify for sanitization
- DOMPurify fails to detect the embedded closing tag due to the incomplete regex validation
- The application places the "sanitized" output inside a rawtext element such as <textarea>
- The browser parses the closing tag, breaking out of the textarea context
- Subsequent attacker-controlled content, including JavaScript, executes in the victim's browser
This bypass is particularly dangerous because developers trust DOMPurify's output to be safe, and may place sanitized content in rawtext contexts without additional validation.
Detection Methods for CVE-2025-15599
Indicators of Compromise
- Unusual HTTP requests containing </textarea> or similar rawtext closing tags within attribute values
- Client-side JavaScript errors originating from unexpected script execution in sanitized content areas
- User reports of unexpected behavior or pop-ups on pages that use DOMPurify for sanitization
- Web application logs showing malformed HTML payloads targeting input fields
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
- Deploy web application firewall (WAF) rules to flag requests containing rawtext closing tags in suspicious contexts
- Monitor JavaScript error logs for anomalies that may indicate XSS payload execution
- Conduct regular dependency audits to identify vulnerable DOMPurify versions in your codebase
Monitoring Recommendations
- Enable detailed logging for user input processing and sanitization operations
- Set up alerts for CSP violation reports which may indicate XSS exploitation attempts
- Monitor network traffic for patterns consistent with XSS payload delivery
- Review application logs for unusual HTML patterns in user-submitted content
How to Mitigate CVE-2025-15599
Immediate Actions Required
- Upgrade DOMPurify to version 3.2.7 or later for applications using the 3.x branch
- For applications using the 2.x branch, migrate to the 3.x branch as the 2.x branch was never patched
- Audit all instances where DOMPurify-sanitized output is placed inside rawtext elements like <textarea>, <title>, <script>, or <style>
- Implement additional server-side validation as a defense-in-depth measure
Patch Information
Cure53 has released a security patch in DOMPurify version 3.2.7 that addresses this vulnerability. The fix can be reviewed in the GitHub commit c861f5a83fb8d90800f1680f855fee551161ac2b. Organizations should update their DOMPurify dependency immediately. Note that the 2.x branch remains unpatched, and users of those versions should migrate to the 3.x branch. For additional technical details, refer to the VulnCheck Advisory.
Workarounds
- Avoid placing DOMPurify-sanitized output directly inside rawtext elements (<textarea>, <title>, <script>, <style>)
- Apply additional HTML entity encoding when inserting sanitized content into rawtext contexts
- Implement strict Content Security Policy (CSP) headers to mitigate the impact of potential XSS exploitation
- Consider using server-side sanitization as a secondary layer of protection for critical applications
# Update DOMPurify via npm
npm update dompurify@3.2.7
# Or update via yarn
yarn upgrade dompurify@3.2.7
# Verify installed version
npm list dompurify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
