Self Cross-Site Scripting Vulnerability in Arduino IDE 2.x by Arduino
CVE-2025-27608

1LOW

Key Information:

Vendor: Arduino
Status: Arduino-ide
Vendor: CVE Published:; 2 April 2025

What is CVE-2025-27608?

A self cross-site scripting vulnerability exists in Arduino IDE 2.x, stemming from improper handling of user input in the Additional Board Manager URLs field. This issue allows potential attackers to inject malicious scripts that are reflected back to the user via notification tooltips, due to inadequate output encoding. The risk intensifies based on the nature of the injected payload, leading to possible security breaches. Users are urged to upgrade to version 2.3.5 or later to mitigate this risk.

Affected Version(s)

arduino-ide < 2.3.5

References

https://github.com/arduino/arduino-ide/security/advisorie...

x_refsource_CONFIRM

https://github.com/arduino/arduino-ide/commit/d298b3ffc94...

x_refsource_MISC

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Mar 3, 2025

JSON