Main Vulnerability Database Vulnerabilities #VU127924

Cross-site request forgery in HedgeDoc - CVE-2025-66629

Published: April 25, 2026

Vulnerability identifier: #VU127924

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66629

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HedgeDoc

Affected software:
HedgeDoc

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify data by causing a victim to be logged into the attacker's account.

The vulnerability exists due to cross-site request forgery in OAuth2 callback endpoints when handling OAuth2 social login responses without a state parameter. A remote user can trick the victim into opening a crafted callback URL to disclose sensitive information and modify data by causing a victim to be logged into the attacker's account.

Only instances with an enabled affected social login provider are vulnerable, and user interaction is required to open the crafted URL.

How to mitigate CVE-2025-66629

Install security update from vendor's website.

Sources

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv

Cross-site request forgery in HedgeDoc - CVE-2025-66629

Detailed vulnerability description

How to mitigate CVE-2025-66629

Sources

Please verify you're human