CVE-2025-32391 MEDIUM

CVE-2025-32391: HedgeDoc allows XSS possibility through malicious SVG uploads

Vendor Hedgedoc
Product hedgedoc
Weakness CWE-79 · XSS
Published April 10, 2025
Last update April 10, 2025
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.3, a malicious SVG file uploaded to HedgeDoc results in the possibility of XSS when opened in a new tab instead of the editor itself. The XSS is possible by exploiting the JSONP capabilities of GitHub Gist embeddings. Only instances with the local filesystem upload backend or special configurations, where the uploads are served from the same domain as HedgeDoc, are vulnerable. This vulnerability is fixed in 1.10.3. When upgrading to HedgeDoc 1.10.3 is not possible, instance owners could add the following headers for all routes under /uploads as a first-countermeasure: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, the external URLs in the script-src attribute of the Content-Security-Policy header should be removed.

Key dates

02Disclosure timeline

April 10, 2025 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-0691 FileBird <= 5.6.0 - Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import CVE-2025-55063 Priority - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CVE-2025-24732 WordPress BookingPress Plugin <= 1.1.25 - Cross Site Scripting (XSS) vulnerability CVE-2023-48583 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-46973 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)