Stored Cross-Site Scripting Vulnerability in Pinecone by Matrix.org
CVE-2025-27155

6.1MEDIUM

Key Information:

Vendor: Matrix-org
Status: Pinecone
Vendor: CVE Published:; 4 March 2025

What is CVE-2025-27155?

The Pinecone Simulator, which serves as an experimental overlay routing protocol suite for P2P Matrix demos, is susceptible to a stored cross-site scripting issue. This vulnerability arises from inadequate handling of input, allowing an attacker to inject malicious scripts that could be executed in the context of another user's browser session. Although the payload storage is transient and is cleared upon restarting pineconesim, the potential for exploitation remains a significant concern during active sessions.

Affected Version(s)

pinecone < 218b2801995b174085cb1c8fafe2d3aa661f85bd

References

https://github.com/matrix-org/pinecone/security/advisorie...

x_refsource_CONFIRM

https://github.com/matrix-org/pinecone/commit/218b2801995...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2025
Vulnerability Reserved
Feb 19, 2025

Matrix-org

What is CVE-2025-27155?

Affected Version(s)

References

CVSS V3.1

Timeline