SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-26791

CVE-2025-26791: Cure53 DOMPurify mXSS Vulnerability

CVE-2025-26791 is a mutation cross-site scripting flaw in Cure53 DOMPurify caused by an incorrect template literal regular expression. This vulnerability affects versions before 3.2.4 and enables mXSS attacks. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2025-26791 Overview

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Critical Impact

This vulnerability allows attackers to conduct mXSS attacks, potentially compromising user data.

Affected Products

  • Cure53 DOMPurify

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to cure53
  • Not Available - CVE CVE-2025-26791 assigned
  • Not Available - cure53 releases security patch
  • 2025-02-14T09:15:08.067 - CVE CVE-2025-26791 published to NVD
  • 2025-10-07T20:56:12.317 - Last updated in NVD database

Technical Details for CVE-2025-26791

Vulnerability Analysis

The vulnerability is caused by improper regular expression handling in DOMPurify, which can lead to mutation XSS, a type of stored XSS attack vector.

Root Cause

The root cause is an incorrect template literal regular expression used in DOMPurify’s input sanitization process.

Attack Vector

Network-based attack vector allows remote attackers to exploit this vulnerability through crafted HTML content.

javascript
// Example exploitation code (sanitized)
var template = `<img src=x onerror=alert(1)>`;
DOMPurify.sanitize(template);

Detection Methods for CVE-2025-26791

Indicators of Compromise

  • Presence of abnormal script tags in user inputs
  • Unusual DOM mutations during DOMPurify execution
  • Alerts triggered upon user input render

Detection Strategies

Network security tools can monitor HTTP requests for DOM-related anomalies and unexpected script tags.

Monitoring Recommendations

Utilize browser-based security tools to capture XSS patterns or anomalies during input processing.

How to Mitigate CVE-2025-26791

Immediate Actions Required

  • Update DOMPurify to version 3.2.4
  • Conduct manual code review to ensure no templates are misused
  • Implement server-side input validation as a secondary control

Patch Information

A patch has been released by Cure53 resolving this issue:
DOMPurify Patch Commit

Workarounds

If patching is not immediately possible, employ strict CSP rules to mitigate risks.

bash
# Example Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne