VYPR
Medium severity4.9OSV Advisory· Published Apr 26, 2025· Updated Apr 15, 2026

CVE-2025-46655

CVE-2025-46655

Description

CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Hackmdio/CodimdOSV2 versions
    0.4.0, 0.4.1, 0.4.2, …+ 1 more
    • (no CPE)range: 0.4.0, 0.4.1, 0.4.2, …
    • (no CPE)range: <= 2.5.4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.