CVE-2025-15599 in DOMPurify
Summary
by MITRE • 03/03/2026
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
This vulnerability resides in the DOMPurify library, a widely-used JavaScript library designed to sanitize HTML and prevent cross-site scripting attacks by removing potentially dangerous content from user-provided input. The flaw affects versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8, creating a significant security gap that allows attackers to bypass the library's attribute sanitization mechanisms. The vulnerability specifically targets the SAFE_FOR_XML regular expression which is responsible for validating content within rawtext elements, particularly textarea elements where content is treated as raw text without HTML parsing. This oversight enables malicious actors to inject closing tags like </textarea> directly into attribute values, effectively breaking out of the intended rawtext context where the sanitized output would normally be rendered.
The technical exploitation occurs through a sophisticated manipulation of HTML attribute values that contain closing rawtext tags. When DOMPurify processes input containing such malicious content, it fails to properly validate that attribute values cannot contain closing rawtext element tags. This validation gap allows attackers to craft payloads where the closing </textarea> tag appears within an attribute value, causing the sanitizer to incorrectly process the content and subsequently execute JavaScript code when the sanitized output is rendered inside a textarea element. The vulnerability demonstrates a classic bypass technique where the attacker leverages the parser's behavior to escape from one context into another, effectively circumventing the intended security boundaries. This represents a CWE-79 (Cross-site Scripting) vulnerability with specific characteristics related to improper input validation within rawtext element contexts.
The operational impact of this vulnerability extends beyond simple XSS execution, as it affects applications that rely on DOMPurify for HTML sanitization across multiple contexts. Applications using affected versions of DOMPurify are at risk of having malicious JavaScript code executed when sanitized content is subsequently rendered within rawtext elements such as textarea, script, or style tags. This creates a particularly dangerous scenario where legitimate sanitization processes become ineffective against attackers who understand the parser behavior and can craft payloads that exploit the specific gap in validation logic. The vulnerability affects both the 2.x and 3.x branches of DOMPurify, with the 3.x branch receiving a patch in version 3.2.7 while the 2.x branch remains unpatched, leaving many legacy applications vulnerable to this attack vector. The attack pattern aligns with ATT&CK technique T1203 (Exploitation for Client Execution) and T1531 (Account Access Through Web Shell) when considering the potential for further exploitation after initial code execution.
Organizations using affected versions of DOMPurify should immediately upgrade to patched versions where available, specifically DOMPurify 3.2.7 or later for the 3.x branch. For systems unable to upgrade immediately, implementing additional input validation measures and monitoring for suspicious attribute content patterns can provide temporary mitigation. Security teams should conduct comprehensive audits of applications using DOMPurify to identify potential attack surfaces where sanitized content might be rendered within rawtext elements. The vulnerability highlights the importance of thorough validation across all HTML element contexts and demonstrates how seemingly minor parser behavior can create significant security gaps. System administrators should also consider implementing web application firewalls with signature-based detection for known XSS patterns that exploit similar rawtext element vulnerabilities. Given the nature of this vulnerability, which exploits the fundamental parsing behavior of HTML elements, the mitigation strategy must account for the entire application stack where DOMPurify is used and ensure that all contexts where sanitized output is rendered are properly secured against potential escape vectors.