VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 9, 2022· Updated Aug 3, 2024

Cross-site Scripting (XSS) - Stored in appwrite/appwrite

CVE-2022-2925

Description

Appwrite prior to 1.0.0-RC1 contains a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Appwrite prior to 1.0.0-RC1 contains a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts.

Vulnerability

Overview

CVE-2022-2925 is a stored cross-site scripting (XSS) vulnerability in Appwrite, an open-source development platform that provides backend infrastructure for web, mobile, and AI applications [1]. The vulnerability affects versions prior to 1.0.0-RC1 and was fixed in a commit that updated the code.js file [3]. Stored XSS occurs when user-supplied input is not properly sanitized before being stored and later rendered to other users [4].

Exploitation

An attacker can exploit this vulnerability by submitting crafted input containing malicious JavaScript code through a vulnerable input field or endpoint [2]. The attack requires no special privileges beyond normal user access to the platform, and the injected script will be stored by the application. When other users view the affected page or content, the malicious script executes in their browser context, potentially allowing the attacker to steal session tokens, cookies, or perform actions on behalf of the victim [4].

Impact

Successful exploitation leads to unauthorized access to victim accounts, data exfiltration, or website defacement within the context of the Appwrite application [2]. Because the XSS is stored, the impact can propagate to all users who access the infected content, making it a high-severity issue that could compromise the entire application's security [4].

Mitigation

The vulnerability was patched in Appwrite version 1.0.0-RC1 [3]. Users running earlier versions should upgrade immediately to mitigate the risk. There are no known workarounds, and the fix requires updating to the patched release [4].

References
  1. GitHub - appwrite/appwrite: Appwrite® - complete cloud infrastructure for your web, mobile and AI apps. Including Auth, Databases, Storage, Functions, Messaging, Hosting, Realtime and more
  2. NVD - CVE-2022-2925
  3. Update code.js · appwrite/appwrite@b5b4d92
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
appwrite/server-cePackagist
< 1.0.0-RC11.0.0-RC1

Affected products

2

Patches

1
b5b4d92623c1

Update code.js

https://github.com/appwrite/appwriteBradley SchofieldAug 11, 2022via ghsa
commit
1 file changed · +1 1
  • public/scripts/views/forms/code.js+1 1 modified
    @@ -58,7 +58,7 @@
           value = element.value;
         }
 
-        code.innerHTML = value;
+        code.textContent = value;
 
         Prism.highlightElement(code);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.