CVE-2025-15599: DOMPurify contains a Cross-site Scripting vulnerability
(updated )
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
References
- github.com/advisories/GHSA-v8jm-5vwx-cfxm
- github.com/cure53/DOMPurify
- github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
- nvd.nist.gov/vuln/detail/CVE-2025-15599
- www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml
- www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safeforxml
Code Behaviors & Features
Detect and mitigate CVE-2025-15599 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →