Cross-site scripting in HedgeDoc - CVE-2025-32391
Published: April 10, 2025 / Updated: April 25, 2026
Vulnerability identifier: #VU127923
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-32391
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: HedgeDoc
Affected software:
HedgeDoc
HedgeDoc
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the /uploads endpoint when serving a malicious SVG file from the same domain and opening it directly in a new tab. A remote user can upload a specially crafted SVG file to execute arbitrary script in the victim's browser.
Only instances using the local filesystem upload backend or configurations where uploads are served from the same domain are vulnerable. User interaction is required to open the uploaded file directly, and exploitation relies on GitHub Gist JSONP embeddings allowed by the default content security policy.
How to mitigate CVE-2025-32391
Install security update from vendor's website.