CVE-2025-49590

by Fred · 18/06/2025

CryptPad is a collaboration suite. Prior to version 2025.3.0, the “Link Bouncer” functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an “early allow” code path that happens before the URI’s protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Assigner : security-advisories@github.com

More information : https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95

CVE-2025-49590

Similar

Recent Posts

Categories

CVE-2025-49590

Share this:

Similar

Recent Posts

Categories

Tags