CVE-2025-30223 CRITICAL

CVE-2025-30223: Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input

Vendor Beego
Product beego
Weakness CWE-79 · XSS
Published March 31, 2025
Last update March 31, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Beego is an open-source web framework for the Go programming language. Prior to 2.3.6, a Cross-Site Scripting (XSS) vulnerability exists in Beego's RenderForm() function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's RenderForm() function with user-provided data. Since it is a high-level function generating an entire form markup, many developers would assume it automatically escapes attributes (the way most frameworks do). This vulnerability is fixed in 2.3.6.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
March 31, 2025 Record updated