VYPR
← All advisories
Medium severity4.2OSV Advisory· Published Jul 7, 2025· Updated Apr 15, 2026

CVE-2025-53543

CVE-2025-53543

Description

Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kestra below 0.22.0 suffers stored XSS when error messages render attacker-controlled HTTP response without sanitization.

Vulnerability

Kestra versions prior to 0.22.0 contain a stored cross-site scripting (XSS) vulnerability in the execution "Overview" tab. The bug stems from improper handling of HTTP responses; when a task receives an error response (e.g., HTTP 504), the raw response body is rendered without sanitization, allowing embedded JavaScript to execute in the context of the Kestra application [1].

Exploitation

An attacker can exploit this by hosting a web server that returns a crafted error page containing a JavaScript payload, such as an onerror handler in an `` tag. A Kestra workflow that makes an HTTP request to the attacker-controlled endpoint will receive the malicious response. Once the execution finishes with an error, navigating to the execution's "Overview" tab renders the response, triggering the XSS [1].

Impact

Successful execution of arbitrary JavaScript in the victim's browser can lead to compromise of the Kestra instance. The attacker could steal session tokens, perform actions on behalf of the authenticated user, or access sensitive data visible within the application [1].

Mitigation

The vulnerability is fixed in Kestra version 0.22.0. Users are advised to upgrade immediately. No workarounds are documented [1].

References
  1. Stored XSS in Kestra below 0.22

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Kestra/KestraOSV2 versions
    v0.19.0, v0.22.0-rc1-SNAPSHOT, v0.22.0-rc2-SNAPSHOT, …+ 1 more
    • (no CPE)range: v0.19.0, v0.22.0-rc1-SNAPSHOT, v0.22.0-rc2-SNAPSHOT, …
    • (no CPE)range: <0.22.0

Patches

1
c5f2901f7f69
https://github.com/kestra-io/kestravia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.