Medium severity5.6GHSA Advisory· Published May 15, 2025· Updated Apr 15, 2026

CVE-2025-1647

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bootstrap 3.4.1 through 4.0.0 contains a DOM-based XSS vulnerability in Popover and Tooltip components via DOM clobbering of the createHTMLDocument method, allowing script execution.

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability exists in Bootstrap versions 3.4.1 up to but not including 4.0.0. The issue affects the Popover and Tooltip components, where a function meant to sanitize HTML input can be bypassed through a DOM clobbering technique [3]. Specifically, an attacker can manipulate the Document Object Model (DOM) by injecting an element (e.g., an ` tag) with the name attribute set to implementation, which overwrites the document.implementation property. This causes Bootstrap’s createHTMLDocument` method to reference the attacker-controlled element, allowing unsanitized HTML to be processed and subsequently executed [2][3].

Exploitation

Conditions

To exploit this vulnerability, an attacker must first inject a crafted element into the page's DOM—for example, via a comment field, user profile, or any other input that is rendered as HTML without appropriate filtering. No authentication or special network access is required beyond the ability to contribute content that will be displayed to other users. When a victim visits the affected page, the Bootstrap Popover or Tooltip component, when triggered, may execute arbitrary HTML/JavaScript that was not properly sanitized due to the clobbered DOM method [3].

Impact

Successful exploitation allows an attacker to inject arbitrary client-side scripts into the context of another user’s browser session. This can lead to session hijacking, data theft, defacement, or other malicious actions performed within the security context of the affected site. The CVSS v3 base score is 5.6 (Medium severity), reflecting the requirement for user interaction and the need for a pre-existing injection vector [2].

Mitigation and

Status

Users of Bootstrap 3 should upgrade to Bootstrap NES v3.4.7, which contains a fix for this issue [3]. For those unable to upgrade, a workaround involves avoiding the use of the Popover and Tooltip components in untrusted content contexts or manually sanitizing all user-controlled input before rendering. As of the publication date, this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the vendor has acknowledged the issue and provided a fix [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Twbs/BootstrapGHSA
Range: = 3.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q58r-hwc8-rm9jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-1647ghsaADVISORY
lists.debian.org/debian-lts-announce/2025/06/msg00001.htmlnvdWEB
www.herodevs.com/vulnerability-directory/cve-2025-1647nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.364
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000