Khoj Obsidian Vulnerable to Cross Site Scripting (XSS) via Prompt Injection
CVE-2024-25639

7.5HIGH

Key Information:

Vendor: Khoj-ai
Status: Khoj
Vendor: CVE Published:; 8 July 2024

What is CVE-2024-25639?

The Khoj application, known for creating personal AI agents, presents a vulnerability in its Obsidian, Desktop, and Web clients. This vulnerability arises from inadequate sanitization of user inputs and AI model responses, making systems susceptible to Cross Site Scripting (XSS) attacks. Specifically, an attacker could exploit this flaw through prompt injection by leveraging untrusted documents that the user has indexed or documents accessed via the /online command feature. This could lead to unauthorized script execution in the user's browser context. The vulnerability has been addressed in version 1.13.0 of the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

khoj < 1.13.0

References

https://github.com/khoj-ai/khoj/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/khoj-ai/khoj/commit/1dfd6d7391862d3564...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 8, 2024
Vulnerability Reserved
Feb 8, 2024

JSON

Khoj-ai

What is CVE-2024-25639?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.