CVE-2025-15599

Name of the Vulnerable Software and Affected Versions DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.2.6

Description DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This is due to missing textarea rawtext element validation in the SAFE FOR XML regex. Attackers can include closing rawtext tags, such as , in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The textarea element and its rawtext attribute are involved in this bypass.

Recommendations Update to DOMPurify version 3.2.7 or later. For versions 2.5.3 through 2.5.8, there is no available fix; consider alternative sanitization libraries.