CryptPad XSS via Link Bouncer before 2025.3.0
CVE-2025-49590 Published on June 18, 2025
CryptPad Dom-Based Cross-Site Scripting (XSS) Vulnerability
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Weakness Type
Incomplete Denylist to Cross-Site Scripting
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.
Products Associated with CVE-2025-49590
Want to know whenever a new CVE is published for Xwiki Cryptpad? stack.watch will email you.
Affected Versions
cryptpad Version < 2025.3.0 is affected by CVE-2025-49590Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.