CVE-2025-1647: Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components

May 15, 2025 (updated September 18, 2025)

Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Bootstrap allows Cross-Site Scripting (XSS). This issue affects Bootstrap version 3.4.1. At time of publication, there is no publicly available patched version.

References

github.com/advisories/GHSA-q58r-hwc8-rm9j
github.com/twbs/bootstrap
lists.debian.org/debian-lts-announce/2025/06/msg00001.html
nvd.nist.gov/vuln/detail/CVE-2025-1647
www.herodevs.com/vulnerability-directory/cve-2025-1647

Code Behaviors & Features

Detect and mitigate CVE-2025-1647 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →