Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 8, 2025
HedgeDoc is missing state parameter in OAuth2 flows could lead to CSRF
CVE-2025-66629
Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2bmitrex_refsource_MISC
- github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvvmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.