CVE-2025-66629 LOW

CVE-2025-66629: HedgeDoc is missing state parameter in OAuth2 flows could lead to CSRF

Vendor Hedgedoc
Product hedgedoc
Weakness CWE-352 · CSRF
Published December 5, 2025
Last update December 8, 2025

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 8, 2025 Record updated

Related vulnerabilities

04Related CVE