Main Vulnerability Database SB2025041049

SB2025041049 - Cross-site scripting in HedgeDoc

Published: April 10, 2025 Updated: April 25, 2026

Security Bulletin ID SB2025041049

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2025-32391)

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the /uploads endpoint when serving a malicious SVG file from the same domain and opening it directly in a new tab. A remote user can upload a specially crafted SVG file to execute arbitrary script in the victim's browser.

Only instances using the local filesystem upload backend or configurations where uploads are served from the same domain are vulnerable. User interaction is required to open the uploaded file directly, and exploitation relies on GitHub Gist JSONP embeddings allowed by the default content security policy.

Remediation

Install update from vendor's website.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-3983-rrqh-mvx5