Unrated severityNVD Advisory· Published Jun 18, 2025· Updated Jun 23, 2025
CryptPad Dom-Based Cross-Site Scripting (XSS) Vulnerability
CVE-2025-49590
Description
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.jsmitrex_refsource_MISC
- github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607mitrex_refsource_MISC
- github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.