CVE-2025-49590

Exploit

EPSS 0.06%
Published 18.06.2025 22:14:06
Last modified 11.08.2025 18:18:19
Source security-advisories@github.com
Teams watchlist Login
Open Login

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Xwiki ≫ Cryptpad Version < 2025.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.193

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	2.9	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-692 Incomplete Denylist to Cross-Site Scripting

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

https://github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rj

Vendor Advisory

Exploit

https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607

Patch

https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-49590

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49590

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49590

EUVD