CVE-2025-49590 Information

Jun 19, 2025 cve

Description

CryptPad is a collaboration suite. Prior to version 2025.3.0 the \Link Bouncer\ functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS) however this can be bypassed. There is an arly allow\ code path that happens before the URI’s protocol/scheme is checked which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Reference

https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95 https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607 https://github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rj

CNNVD-202506-2554 (Published: 2025-06-18)

Share on:

CVE-2025-49590 Information

Description

Reference

Related CNNVD