CVE-2025-15599, CVE-2026-0540, GHSA-39q2-94rc-95cp

Data: 2026-04-21

Severity: MEDIUM

CVSS Score: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N)

Riferimenti: - https://nvd.nist.gov/vuln/detail/CVE-2025-15599 - https://nvd.nist.gov/vuln/detail/CVE-2026-0540 - https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp

Libreria: org.webjars:swagger-ui (DOMPurify incluso nei bundle JavaScript)

Descrizione

Le vulnerabilità riguardano la libreria JavaScript DOMPurify, inclusa all’interno dei bundle JavaScript distribuiti dal jar swagger-ui (in particolare swagger-ui-bundle.js e swagger-ui-es-bundle.js).

  • CVE-2025-15599: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

  • CVE-2026-0540: DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

  • GHSA-39q2-94rc-95cp: In src/purify.ts (v3.3.3, commit 883ac15) ADD_TAGS as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) bypasses FORBID_TAGS a causa di una short-circuit evaluation: quando tagCheck(tagName) restituisce true, l’intera condizione diventa false e l’elemento viene mantenuto senza valutare FORBID_TAGS. Applicazioni che utilizzano contemporaneamente ADD_TAGS come funzione e FORBID_TAGS ottengono quindi un comportamento inatteso, con i tag proibiti che vengono comunque accettati.

Falso Positivo per GovWay

Swagger UI viene disabilitato nelle API di GovWay (proprietà support.swagger.ui=false nel file openapi-configuration.json) e i file JavaScript del bundle non vengono mai serviti a runtime dal Gateway. Tutte le vulnerabilità DOMPurify rilevate all’interno del jar swagger-ui (incluse quelle future che dovessero essere segnalate da RetireJS sulla stessa libreria) si possono quindi considerare falsi positivi.

Configuration File: false-positive.xml