CVE-2025-11687

Vulnerability

Overview

A reflected DOM-based Cross-Site Scripting (XSS) vulnerability was discovered in gi-docgen, a documentation tool for GObject-based libraries. The flaw arises because the tool does not properly encode search terms before inserting them into the page's HTML output. Specifically, when a user submits a search query using the q GET parameter, the value is reflected directly into the HTML response without sanitization or escaping, allowing an attacker to inject arbitrary JavaScript code [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes a JavaScript payload in the q parameter and then tricking a victim into visiting that URL. For example, a URL pattern like https://libsoup.gnome.org/libsoup-3.0/*.html?q=[PAYLOAD] would cause the server to include the payload unescaped in the generated page. When the victim's browser renders the page, the injected script executes in the security context of the affected domain. No authentication or special privileges are required beyond the victim visiting the crafted link [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the domain hosting the gi-docgen documentation. This access can be abused to read or modify DOM content, steal session cookies, perform actions on behalf of the victim, or launch further client-side attacks. The severity of this issue depends on what other services are hosted on the same domain; if the domain serves sensitive applications, the impact is significantly higher [3].

Mitigation

The vulnerability was reported on October 3, 2025, and fixed on October 10, 2025, with the release of gi-docgen version 2025.5. Users are strongly advised to update to this or a later version. The fix is available in the GNOME GitLab merge request 254 [3]. No workaround is documented, and updating the gi-docgen tool is the recommended mitigation.