CVE-2025-26791: DOMPurify before 3.2.4 Template Literal Regular Expression Vulnerability and Exploit Details

System security is an ever-growing concern, continuously prompting developers to evaluate and adapt their codebases to protect against newly discovered vulnerabilities. One such vulnerability was found in DOMPurify, a widely used library for sanitizing user-generated content in web applications. This discovery has been assigned the identifier CVE-2025-26791 and has been associated with a mutation cross-site scripting (mXSS) vulnerability in DOMPurify versions prior to 3.2.4. In this post, we will walk through this vulnerability, how to exploit it, and how to protect your applications from it.

Vulnerability Details

DOMPurify is an HTML sanitizer that is designed to protect against XSS vulnerabilities by removing any malicious content from user-generated HTML. The library uses a set of regular expressions to parse and clean user-submitted content, ensuring that the output renders safely in the browser without executing any potentially harmful JavaScript.

The issue lies in an incorrect template literal regular expression in the library. DOMPurify versions prior to 3.2.4 allowed users to submit content containing JavaScript template literals, which in certain cases could lead to a mutation cross-site scripting attack.

Exploit Details

The vulnerability can be exploited using a specially crafted payload containing malicious JavaScript code wrapped in template literals. This payload bypasses DOMPurify's sanitization process and ends up being executed in the browser of any user visiting the affected page.

For instance, an attacker targeting a vulnerable DOMPurify deployment might use the following payload:

const maliciousPayload = <img src=x onerror=\${alert(1)}\>;

When an application running DOMPurify < 3.2.4 sanitizes and renders this payload, the JavaScript code within the template literal will execute, causing the alert to be triggered.

Original References

This vulnerability was initially disclosed in the DOMPurify GitHub repository, in the following issue post: issue #569.

Shortly after the disclosure, the DOMPurify team addressed the vulnerability by releasing version 3.2.4, which includes the patch for the incorrect template literal regular expression. The updated release can be found at the DOMPurify GitHub repository, under releases.

Verify that any user-generated content is sanitized using the patched version of DOMPurify.

3. Audit your application code and any dependencies for potential mXSS or other security vulnerabilities.

Conclusion

CVE-2025-26791 is a significant security vulnerability that has been addressed in DOMPurify version 3.2.4. By updating your applications to use the patched version and ensuring that user-generated content is properly sanitized, you can protect your users from potential mutation cross-site scripting attacks.

Remember to stay vigilant and proactive in keeping your application secure, as new vulnerabilities are discovered continuously. Be sure to keep your dependencies up-to-date and regularly review security disclosures in order to provide the most secure experience for your users.

Timeline

Published on: 02/14/2025 09:15:08 UTC
Last modified on: 02/14/2025 16:15:37 UTC