DOMPurify is a widely used client-side JavaScript library designed to sanitize HTML and prevent cross-site scripting (XSS) attacks by neutralizing malicious input before rendering it in web pages. CVE-2025-15599 affects versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 of DOMPurify. The vulnerability stems from an incomplete sanitization process related to the handling of rawtext elements, specifically the <textarea> tag, within the SAFE_FOR_XML regular expression used to validate input. The regex fails to properly validate and neutralize closing rawtext tags embedded inside attribute values. Attackers can exploit this by injecting a closing </textarea> tag within an attribute, which prematurely terminates the rawtext context, allowing malicious JavaScript code to be executed when the sanitized content is rendered inside rawtext elements. This bypasses the intended attribute sanitization and leads to XSS. The 3.x branch of DOMPurify was patched in version 3.2.7 to address this issue, but the 2.x branch remains vulnerable with no patch available. The vulnerability is remotely exploitable without authentication but requires user interaction, such as visiting a maliciously crafted web page or viewing manipulated content. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and limited scope impact. No known exploits have been reported in the wild yet, but the widespread use of DOMPurify in web applications makes this a significant concern.

This vulnerability allows attackers to execute arbitrary JavaScript in the context of affected web applications that use vulnerable DOMPurify versions to sanitize user input. Successful exploitation can lead to theft of sensitive information such as cookies, session tokens, or other credentials, enabling account takeover or further attacks like phishing or malware distribution. It can also allow attackers to manipulate the DOM, deface websites, or perform actions on behalf of the user. Given DOMPurify's popularity in securing web applications, a large number of websites and services could be affected globally. The impact is particularly critical for applications handling sensitive user data, financial transactions, or enterprise environments where trust boundaries are crucial. Although the vulnerability requires user interaction, the ease of exploitation via crafted web content or user-generated input makes it a moderate risk. The lack of a patch for the 2.x branch increases exposure for legacy systems. Organizations relying on vulnerable versions risk reputational damage, regulatory penalties, and operational disruption if exploited.

Organizations should immediately upgrade to DOMPurify version 3.2.7 or later for the 3.x branch to remediate this vulnerability. For users of the 2.x branch, migrating to the 3.x branch is strongly recommended since no patch exists for 2.x. In the interim, developers should audit and sanitize any user input that might be embedded inside rawtext elements, especially <textarea>, using additional server-side validation and escaping techniques. Implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Conduct thorough code reviews and penetration testing focusing on input sanitization and output encoding. Educate developers about the risks of relying solely on client-side sanitization and encourage defense-in-depth strategies. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. Finally, maintain an inventory of all applications and libraries using DOMPurify to ensure timely updates and vulnerability management.