SB20260425210 - Multiple vulnerabilities in HedgeDoc

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2025-66629)

The vulnerability allows a remote user to disclose sensitive information and modify data by causing a victim to be logged into the attacker's account.

The vulnerability exists due to cross-site request forgery in OAuth2 callback endpoints when handling OAuth2 social login responses without a state parameter. A remote user can trick the victim into opening a crafted callback URL to disclose sensitive information and modify data by causing a victim to be logged into the attacker's account.

Only instances with an enabled affected social login provider are vulnerable, and user interaction is required to open the crafted URL.

2) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote attacker to trigger browser actions and initiate limited cross-site side effects.

The vulnerability exists due to cross-site scripting in iframe embeddings when rendering embedded webpages. A remote attacker can embed a specially crafted webpage in an iframe to trigger browser actions and initiate limited cross-site side effects.

User interaction is required, and the issue affects instances that allow iframe usage.

Remediation

Install update from vendor's website.

References

• https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv
• https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gmgw-rcmh-7x47