CVE-2025-14830

Vulnerability

Overview

CVE-2025-14830 is a stored cross-site scripting (XSS) vulnerability in the JFrog Artifactory Workers module. The flaw stems from improper neutralization of user-controlled input during web page generation, specifically within the Workers functionality. This permits an attacker to inject malicious scripts that are later served to other users [1].

Exploitation

Prerequisites

An attacker must have the ability to supply crafted input to an Artifactory Workers endpoint that reflects or stores the payload without sanitization. No special network position is required beyond standard web access to the affected service. User interaction (e.g., viewing a page containing the injected payload) is necessary for script execution [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the authenticated user within the Artifactory web interface [1].

Mitigation

Status

JFrog has addressed the vulnerability in Artifactory version 7.117.10 and later. Users running versions from 7.94.0 up to but not including 7.117.10 should upgrade immediately. No workarounds have been publicly documented [1].