CVE-2025-1647: Bootstrap 3 XSS Vulnerability via DOM Clobbering in Tooltip and Popover Components

A medium-severity cross-site scripting (XSS) vulnerability, CVE-2025-1647, has been disclosed in Bootstrap 3's Tooltip and Popover components. The flaw allows an attacker to bypass Bootstrap's built-in HTML sanitization through a technique called DOM clobbering, potentially enabling script execution in the browser of any user who interacts with an affected element.

This Bootstrap vulnerability affects versions 3.4.1 and above (up to, but not including, 4.0.0). Bootstrap 3 has been end-of-life since July 2019 and will not receive an open source patch. For organizations still running Bootstrap 3 in production, NES for Bootstrap delivers a remediated package as a drop-in replacement, with the fix available in version 3.4.7.

‍

What Is CVE-2025-1647?

CVE-2025-1647 is a DOM-based cross-site scripting vulnerability in Bootstrap 3. It targets the sanitizeHtml function that Bootstrap uses internally to strip dangerous markup from HTML content rendered in Tooltips and Popovers (when data-html="true" is enabled).

Bootstrap's sanitizer relies on document.implementation.createHTMLDocument to create a safe document context for sanitization. The vulnerability exploits DOM clobbering: if an attacker can inject an HTML element with name="implementation" into the page (for example, <img name="implementation">), the browser's native document.implementation property is overridden. When Bootstrap subsequently calls createHTMLDocument, the call fails silently, and sanitization is skipped entirely. Any HTML content passed to a Tooltip or Popover title or content attribute is then rendered without filtering, enabling arbitrary script execution.

CVSS 3.1 Score: 5.6 (Medium) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Note: This score is sourced from the GitHub Advisory Database (GHSA-q58r-hwc8-rm9j). NVD enrichment was still pending at time of publication. Verify the latest NVD-assigned score at https://nvd.nist.gov/vuln/detail/CVE-2025-1647.

The attack complexity is rated High because exploitation requires the attacker to place a DOM-clobbering element in the page alongside a Tooltip or Popover configured to render HTML. In applications where user-controlled markup can appear on the same page as Bootstrap components, this condition is achievable.

‍

Why This Matters

This Bootstrap 3 security issue will surface in security scans regardless of whether your team considers the attack pattern likely in your specific application. Tools like Snyk, Tenable, and OWASP Dependency-Check flag known CVEs against your dependency manifest. Once CVE-2025-1647 appears in their databases, any application shipping Bootstrap 3.4.1 will trigger an alert.

For teams operating under compliance frameworks like SOC 2, PCI DSS, ISO 27001, or HIPAA, an unpatched CVE in a front-end dependency creates a documented compliance gap. It does not matter that the severity is Medium or that the attack requires specific preconditions. Auditors and automated policy engines evaluate the presence of known, unpatched vulnerabilities, not the probability of exploit in a given environment.

The operational impact is real: CI/CD pipelines with security gates will flag or block deployments. Security teams will open remediation tickets with SLA timelines. Engineering teams will need to respond, even if the underlying application code is otherwise stable and functional.

‍

Who Is Affected

CVE-2025-1647 affects Bootstrap versions greater than or equal to 3.4.1 and less than 4.0.0.

Bootstrap 3.4.1 was the final open source release of Bootstrap 3, published in February 2019. Bootstrap 3 moved to end-of-life status on July 24, 2019. No further patches will be issued by the upstream Bootstrap project for this version line.

This is also relevant for teams using bootstrap-sass, which packages Bootstrap 3 for Sass-based build pipelines. The underlying Bootstrap JavaScript is the same, and the vulnerability applies equally. NES for Bootstrap covers bootstrap-sass as part of its Bootstrap 3 support.

Additionally, Bootstrap 3 is frequently included as a transitive dependency through theme packages, CMS plugins, and legacy admin dashboards. Teams should check their dependency tree, not just their direct package.json entries.

‍

Why This Is Hard to Fix

The standard recommendation is to upgrade to Bootstrap 5. However, for many organizations running Bootstrap 3, this is not a realistic short-term option.

Bootstrap 5 is not an incremental upgrade from Bootstrap 3. It is a fundamentally different framework. Bootstrap 5 removes the jQuery dependency entirely, restructures core components, replaces the grid system, renames hundreds of CSS classes, and introduces a utility-first approach to layout and spacing. Custom themes, overrides, and JavaScript integrations built for Bootstrap 3 do not transfer cleanly.

For teams with large or complex front-end codebases, migrating from Bootstrap 3 to Bootstrap 5 often requires a near-complete rewrite of the UI layer. This is a project that can take months of dedicated effort, with significant regression testing across browsers and screen sizes. Teams maintaining legacy applications with limited developer bandwidth (a common pattern for Bootstrap 3 applications in 2026) simply cannot absorb that level of disruption to address a single CVE.

Even migrating to Bootstrap 4 first is not a viable stepping stone: Bootstrap 4 reached end of life on January 1, 2023, and is itself accumulating unpatched vulnerabilities (including CVE-2024-6531, an XSS issue in the Carousel component).

‍

Technical Breakdown

The root cause centers on Bootstrap 3's sanitizeHtml function, which is called whenever a Tooltip or Popover renders user-provided HTML content (enabled via data-html="true").

The sanitizer creates a temporary DOM document using document.implementation.createHTMLDocument(''), parses the input HTML in that isolated context, and strips elements not on the allowlist. This is a sound approach, but it depends on document.implementation being the browser's native DOMImplementation object.

DOM clobbering exploits the browser's behavior of mapping named HTML elements (elements with a name attribute) to properties on the document object. An element like <img name="implementation"> causes document.implementation to resolve to that <img> element instead of the native DOMImplementation. When Bootstrap then attempts to call createHTMLDocument, the call fails, the sanitizer catches the error and returns the original (unsanitized) HTML, and the content is inserted into the DOM with script execution intact.

The attack requires two conditions: a DOM-clobbering element present in the page, and a Tooltip or Popover with data-html="true" rendering attacker-influenced content. In applications that accept any form of user markup (comments, profile fields, CMS content), both conditions can be present.

‍

The HeroDevs Solution

NES for Bootstrap provides Never-Ending Support (NES) for Bootstrap 3 (and Bootstrap 4). NES delivers remediated packages for end-of-life Bootstrap versions as drop-in replacements, with zero code changes required.

CVE-2025-1647 is resolved in NES for Bootstrap v3.4.7. The fix hardens the sanitizeHtml function to prevent DOM clobbering from bypassing the sanitization step. The remediated package ships through a private registry, and switching to it takes minutes: update your package manager token and install. No refactoring, no jQuery removal, no class renaming.

NES for Bootstrap also covers previously disclosed Bootstrap 3 vulnerabilities, including CVE-2024-6484 (Carousel XSS), CVE-2024-6485 (Button plugin XSS), CVE-2019-8331, and CVE-2018-14042. A single NES subscription resolves CVE-2025-1647 and every other known Bootstrap 3 CVE, with ongoing coverage as new vulnerabilities are discovered.

‍

How to Fix CVE-2025-1647

If you can upgrade to Bootstrap 5: This is the long-term recommendation. Bootstrap 5.x is actively maintained and is not affected by this vulnerability. Plan and resource the migration, but be realistic about the timeline and effort involved.

If you are running Bootstrap 3 in production and cannot migrate short-term: NES for Bootstrap resolves this vulnerability immediately. The remediated package is available today as a drop-in replacement for Bootstrap 3.4.1, with no application code changes required. Your team gets the fix for CVE-2025-1647 and every subsequent Bootstrap 3 CVE while you plan your migration on your own timeline.

‍

Taking Action

CVE-2025-1647 is another reminder that end-of-life does not mean end-of-risk. Bootstrap 3 has been EOL for nearly seven years, but it remains deeply embedded in enterprise applications, admin interfaces, and legacy front ends. Each new CVE adds another flag in your scanner dashboard, another item on your compliance remediation list, and another conversation with your security team.

If your organization depends on Bootstrap 3, NES for Bootstrap is designed to close exactly this gap. Get the security fix today, buy back your engineering time, and migrate on a timeline that works for your team.

Get protected now.

CVE-2025-1647 was discovered by Johan Carlsson (joaxcar) and responsibly disclosed through HeroDevs.