VYPR
← All advisories
Low severityOSV Advisory· Published Apr 2, 2025· Updated Apr 15, 2026

CVE-2025-27608

CVE-2025-27608

Description

Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Arduino IDE 2.x before 2.3.5 has a Self-XSS vulnerability in the Additional Board Manager URLs field due to missing output encoding.

The vulnerability is a Self-XSS (Cross-Site Scripting) issue in Arduino IDE versions prior to 2.3.5. It arises in the Additional Board Manager URLs field within Preferences → Settings. User-supplied values are rendered directly in a notification tooltip without proper output encoding, allowing JavaScript execution in the ElectronJS context [1].

Exploitation requires user interaction, typically via social engineering to trick a user into pasting malicious input. Since it is a Self-XSS, the attacker cannot directly inject code without the victim's involvement. However, the underlying ElectronJS engine interprets the payload, making it possible to execute arbitrary JavaScript in the context of the IDE [1].

The impact includes potential compromise of sensitive information, access tokens, or triggering unintended actions within the application. The severity is low due to the need for user interaction, but it can still be leveraged in targeted attacks [1].

Mitigation is straightforward: update to Arduino IDE version 2.3.5 or later. The fix, visible in commit [2], adds DOMPurify sanitization to the notification component, encoding the message before rendering via dangerouslySetInnerHTML [2].

References
  1. Self Cross-Site Scripting in Arduino IDE
  2. fix: sanitize message in notification component (#2664) · arduino/arduino-ide@d298b3f

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
8aa3c28c5093
https://github.com/arduino/arduino-idevia osv
commit
d298b3ffc940
https://github.com/arduino/arduino-idevia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.