DOMPurify is a widely used client-side JavaScript library designed to sanitize HTML and prevent cross-site scripting (XSS) attacks by neutralizing malicious input during web page generation. CVE-2025-15599 affects versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 of DOMPurify. The vulnerability stems from an incomplete sanitization process related to the handling of rawtext elements, specifically the textarea element, within the SAFE_FOR_XML regular expression used to validate input. This missing validation allows attackers to inject closing rawtext tags such as </textarea> inside attribute values, effectively breaking out of the rawtext context. When the sanitized output is placed inside rawtext elements, this can lead to execution of arbitrary JavaScript code, resulting in a cross-site scripting attack. The 3.x branch of DOMPurify was patched in version 3.2.7 to address this issue, but the 2.x branch remains vulnerable as it has not been patched. The vulnerability has a CVSS 4.0 base score of 5.1, reflecting a medium severity level. It requires no privileges but does require user interaction, such as a victim visiting a crafted web page. No known exploits have been reported in the wild to date. This vulnerability is significant because DOMPurify is commonly embedded in web applications and frameworks to sanitize user-generated content, and a successful exploit could allow attackers to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.

The impact of CVE-2025-15599 is primarily on the confidentiality and integrity of web applications that rely on vulnerable versions of DOMPurify for sanitizing user input. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, which can lead to theft of sensitive information such as cookies, session tokens, or other credentials. It can also enable further attacks like phishing, defacement, or spreading malware. Since DOMPurify is widely used in many web applications and frameworks globally, the scope of affected systems is broad. The vulnerability does not directly affect server availability but can undermine user trust and lead to reputational damage. Because exploitation requires user interaction, the attack vector typically involves social engineering or tricking users into visiting maliciously crafted web pages. Organizations that embed vulnerable DOMPurify versions in their web applications risk exposing their users to these attacks, especially in environments where user-generated content is displayed without additional sanitization layers.

To mitigate CVE-2025-15599, organizations should immediately upgrade to DOMPurify version 3.2.7 or later for the 3.x branch, which contains the patch for this vulnerability. For users of the 2.x branch, it is strongly recommended to migrate to the 3.x branch since the 2.x branch remains unpatched and vulnerable. Additionally, developers should review their use of DOMPurify to ensure that sanitized output is not placed inside rawtext elements without proper context validation. Implementing Content Security Policy (CSP) headers can provide an additional layer of defense by restricting the execution of unauthorized scripts. Web application developers should also conduct thorough input validation and output encoding as defense-in-depth measures. Regular security testing, including automated scanning for XSS vulnerabilities and manual code reviews focusing on sanitization logic, is advised. Finally, educating developers about the correct usage of sanitization libraries and staying current with security patches is critical to preventing exploitation.