Bug 2444138 (CVE-2025-15599)

Summary: CVE-2025-15599 DOMPurify: DOMPurify: Cross-site scripting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, akostadi, alcohan, amasferr, anjoseph, caswilli, chfoley, cmah, dhanak, dmayorov, drosa, dschmidt, eaguilar, ebaron, erezende, eric.wittmann, fdeutsch, ggrzybek, gparvin, ibek, janstey, jbalunas, jkoehler, jlanda, jlledo, jolong, jprabhak, jrokos, kaycoth, kshier, kverlaen, lchilton, lphiri, manissin, mnovotny, nipatil, oramraz, pahickey, pantinor, parichar, pjindal, rgodfrey, rhaigner, rkubis, sausingh, sfeifer, simaishi, smcdonal, smullick, stcannon, stirabos, swoodman, tasato, teagle, thason, tsedmik, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in DOMPurify, a library designed to prevent web vulnerabilities. A remote attacker can exploit a cross-site scripting (XSS) vulnerability by bypassing the library's sanitization process. This bypass is possible due to improper validation of `textarea` rawtext elements, allowing attackers to inject malicious code. Successful exploitation could lead to arbitrary JavaScript execution in a user's browser, potentially compromising user sessions or disclosing sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2444258, 2444262, 2444264, 2444270, 2444276, 2444278, 2444280, 2444259, 2444260, 2444266, 2444268, 2444272, 2444274, 2444282, 2444284, 2444286    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-03 18:01:36 UTC 
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.