Fluid Attacks Database

Description

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	dompurify	>=0 <3.2.4	3.2.4
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| =2.4.1+dfsg+~2.4.0-2 \|\| =2.4.1+dfsg+~2.4.0-2+deb12u1 \|\| =3.0.9+dfsg+~3.0.5-1 \|\| =3.1.6+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| =3.4.1+dfsg-1	-
debian 13	node-dompurify	>=0 <3.1.7+dfsg+~3.0.5-2	3.1.7+dfsg+~3.0.5-2
debian 14	node-dompurify	>=0 <3.1.7+dfsg+~3.0.5-2	3.1.7+dfsg+~3.0.5-2
rpm rhel10	grafana	-	-
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-

Aliases

1. CVE-2025-267912. NVD-2025-267913. OSV-2025-267914. OSV-DEBIAN-2025-267915. GCVE-2025-267916. SECURITY-TRACKER-CVE-2025-26791

References

1. https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f022. https://ensy.zip/posts/dompurify-323-bypass3. https://github.com/cure53/DOMPurify/releases/tag/3.2.44. https://nsysean.github.io/posts/dompurify-323-bypass