DOMPurify Security Update Patches Critical mXSS Vulnerabilities (CVE-2025-26791, CVE-2025-15599)

A routine dependency update for the widely-used DOMPurify library masks a critical security response. The update to version 3.3.2 patches two significant vulnerabilities that could enable mutation cross-site scripting (mXSS) attacks, a stealthy and dangerous form of web exploitation. This is not a minor chore; it's a mandatory security fix for any application relying on DOMPurify for HTML sanitization.

The core threat stems from CVE-2025-26791, which affects DOMPurify versions before 3.2.4. The vulnerability involves an incorrect template literal regular expression when the `SAFE_FOR_TEMPLATES` configuration is enabled, creating a pathway for mXSS. A second, related vulnerability tracked as CVE-2025-15599 impacts versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8, also allowing for cross-site scripting. These flaws undermine the library's primary function—preventing malicious code injection—by potentially allowing sanitized content to mutate back into executable scripts in a victim's browser.

The update's deployment via automated tools like RenovateBot highlights the silent, systemic nature of modern software supply chain security. While the patch is available, the risk lies in the lag time for thousands of downstream projects and applications to apply it. Organizations that have not configured automated dependency updates or that have pinned older versions remain exposed. The presence of these CVEs in a foundational security library signals a pressing need for developers to audit their dependency graphs immediately, as the integrity of their web application security filters may be compromised.