CVE-2025-8349

Vulnerability

Overview

CVE-2025-8349 is a stored cross-site scripting (XSS) vulnerability in Tawk Live Chat, a free customer service tool [1]. The root cause is a stored cross-site scripting (XSS) vulnerability in Tawk Live Chat, a free customer service tool [1]. The root cause is improper sanitisation of PDF files uploaded through the chatbot. An attacker can craft a PDF containing a JavaScript payload, which the application stores and later displays to other users without adequate filtering [1].

Exploitation

To exploit this vulnerability, an attacker needs only to upload a malicious PDF via the chatbot interface. No authentication is required beyond the ability to interact with the chat feature. When any other user accesses the stored PDF (for example, by viewing chat history or downloading the file), the embedded JavaScript executes in their browser [1]. The attack vector is network-based, requires user interaction (the victim must access the PDF), and has low attack complexity [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive data such as session cookies, enabling session hijacking, or performing actions on behalf of the victim within the application [1]. The CVSS v4.0 vector indicates no direct impact on confidentiality, integrity, or availability of the system, but does affect the scope (SC:L, SI:L) [1].

Mitigation

As of the publication date, no official patch or workaround has been reported [1]. Users of Tawk Live Chat should monitor vendor communications for updates and consider restricting PDF uploads or implementing additional input validation until a fix is available.