VYPR
← All advisories
High severity8.2OSV Advisory· Published Sep 22, 2025· Updated Apr 15, 2026

CVE-2025-59430

CVE-2025-59430

Description

Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Lack of URL protocol sanitization in Mesh Connect JS SDK's createLink.openLink enables arbitrary JavaScript execution via the parent page context.

Vulnerability

Overview

The Mesh Connect JS SDK prior to version 3.3.2 contains a cross-site scripting vulnerability in the createLink.openLink function. The function decodes base64-encoded link tokens and sets the resulting string as the src attribute of an iframe without validating the URL protocol [1][2][4]. This allows an attacker to supply a malicious payload such as javascript:alert(document.domain)// encoded as base64, which, when decoded and assigned to the iframe's src, executes arbitrary JavaScript in the context of the parent page [4].

Attack

Vector and Exploitation

To exploit this vulnerability, an attacker must be able to provide a crafted link token to the createLink.openLink function. No authentication is required; the attack can be launched remotely over a network. The attack requires user interaction, as the victim must trigger the openLink call (e.g., by clicking a link or visiting a page that uses the vulnerable SDK) [1][4]. The exploit is indistinguishable from a legitimate page at the rendering level, making it difficult for users or automated scanners to detect [4]. If the attacker can also control the customIframeId parameter, they can hijack the source of existing iframes on the page [4].

Impact

Successful exploitation allows the attacker to access the parent page's DOM, storage, session, and cookies. This can lead to data theft, session hijacking, or further cross-origin attacks. In the context of wallet integrations, the impact may be critical, potentially enabling unauthorized transactions or loss of funds [4]. The CVSS v3.1 score is 8.2 (High) with a scope of changed, reflecting the ability to access and modify resources beyond the vulnerable component [1][4].

Mitigation

The issue has been patched in Mesh Connect JS SDK version 3.3.2. Users are strongly recommended to update to this version or later [1][4]. There are no known workarounds for this vulnerability, as it stems from a lack of input validation in a core function. The advisory is published on GitHub Security Advisories under GHSA-vh3f-qppr-j97f [4].

References
  1. NVD - CVE-2025-59430
  2. mesh-web-sdk/packages/link/src/Link.ts at cf013b85ab95d64c63cbe46d6cb14695474924e7 · FrontFin/mesh-web-sdk
  3. Cross Site Scripting via createLink.openLink

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@meshconnect/web-link-sdknpm
< 3.3.23.3.2

Affected products

1

Patches

1
7f22148516d5

XPR-1522 fix XSS vulnerability (#124)

https://github.com/frontfin/mesh-web-sdkSalavat GainetdinovSep 10, 2025via osv
commit
3 files changed · +23 1
  • packages/link/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@meshconnect/web-link-sdk",
-  "version": "3.3.1",
+  "version": "3.3.2",
   "description": "A client-side JS library for integrating with Mesh Connect",
   "main": "./src/index.ts",
   "module": "./src/index.ts",
  • packages/link/src/Link.test.ts+15 0 modified
    @@ -46,6 +46,21 @@ describe('createLink tests', () => {
     expect(iframeElement).toBeFalsy()
   })
 
+  test('createLink when invalid link url provided should not open popup', () => {
+    const exitFunction = jest.fn<void, [string | undefined]>()
+    const frontConnection = createLink({
+      clientId: 'test',
+      onIntegrationConnected: jest.fn(),
+      onExit: exitFunction
+    })
+
+    frontConnection.openLink('amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4pLy8=')
+
+    expect(exitFunction).toHaveBeenCalledWith('Invalid link token!')
+    const iframeElement = document.getElementById('mesh-link-popup__iframe')
+    expect(iframeElement).toBeFalsy()
+  })
+
   test('createLink when valid link provided should open popup', () => {
     const frontConnection = createLink({
       clientId: 'test',
  • packages/link/src/Link.ts+7 0 modified
    @@ -446,6 +446,13 @@ export const createLink = (options: LinkOptions): Link => {
 
     currentOptions = options
     let linkUrl = window.atob(linkToken)
+    const isProtocolValid =
+      linkUrl.startsWith('http://') || linkUrl.startsWith('https://')
+    if (!isProtocolValid) {
+      options?.onExit?.('Invalid link token!')
+      return
+    }
+
     linkUrl = addLanguage(linkUrl, currentOptions?.language)
     linkTokenOrigin = new URL(linkUrl).origin
     window.removeEventListener('message', eventsListener)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.