Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 8, 2025

HedgeDoc is missing state parameter in OAuth2 flows could lead to CSRF

CVE-2025-66629

Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.

Affected products

HedgeDoc/HedgeDocllm-fuzzy
Range: <1.10.4
hedgedoc/hedgedocv5
Range: < 1.10.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2bmitrex_refsource_MISC
github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000