.. _vulnerabilityManagement_skip_registry_34x_CVE-2025-15599:

CVE-2025-15599, CVE-2026-0540, GHSA-39q2-94rc-95cp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2026-04-21

Severity: MEDIUM

CVSS Score:  5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N)

Riferimenti:
- `https://nvd.nist.gov/vuln/detail/CVE-2025-15599 <https://nvd.nist.gov/vuln/detail/CVE-2025-15599>`_
- `https://nvd.nist.gov/vuln/detail/CVE-2026-0540 <https://nvd.nist.gov/vuln/detail/CVE-2026-0540>`_
- `https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp <https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp>`_

Libreria: org.webjars:swagger-ui (DOMPurify incluso nei bundle JavaScript)

**Descrizione**

Le vulnerabilità riguardano la libreria JavaScript DOMPurify, inclusa all'interno dei bundle JavaScript
distribuiti dal jar ``swagger-ui`` (in particolare ``swagger-ui-bundle.js`` e ``swagger-ui-es-bundle.js``).

- *CVE-2025-15599*: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like ``</textarea>`` in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

- *CVE-2026-0540*: DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like ``</noscript><img src=x onerror=alert(1)>`` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

- *GHSA-39q2-94rc-95cp*: In ``src/purify.ts`` (v3.3.3, commit 883ac15) ``ADD_TAGS`` as a function (via ``EXTRA_ELEMENT_HANDLING.tagCheck``) bypasses ``FORBID_TAGS`` a causa di una short-circuit evaluation: quando ``tagCheck(tagName)`` restituisce ``true``, l'intera condizione diventa ``false`` e l'elemento viene mantenuto senza valutare ``FORBID_TAGS``. Applicazioni che utilizzano contemporaneamente ``ADD_TAGS`` come funzione e ``FORBID_TAGS`` ottengono quindi un comportamento inatteso, con i tag proibiti che vengono comunque accettati.


**Falso Positivo per GovWay**

Swagger UI viene disabilitato nelle API di GovWay (proprietà ``support.swagger.ui=false`` nel file ``openapi-configuration.json``)
e i file JavaScript del bundle non vengono mai serviti a runtime dal Gateway. Tutte le vulnerabilità DOMPurify rilevate
all'interno del jar ``swagger-ui`` (incluse quelle future che dovessero essere segnalate da RetireJS sulla stessa libreria)
si possono quindi considerare falsi positivi.

Configuration File: `false-positive.xml <https://raw.githubusercontent.com/link-it/govway/3.4.x/mvn/dependencies/owasp/falsePositives/swagger-ui.xml>`_