VYPR
Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 8, 2025

HedgeDoc is missing state parameter in OAuth2 flows could lead to CSRF

CVE-2025-66629

Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • HedgeDoc/HedgeDocllm-fuzzy2 versions
    <1.10.4+ 1 more
    • (no CPE)range: <1.10.4
    • (no CPE)range: < 1.10.4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.