Cross-Site Scripting Vulnerability in CryptPad Collaboration Suite
CVE-2025-49590

2.9LOW

Key Information:

Vendor: Cryptpad
Status: Cryptpad
Vendor: CVE Published:; 18 June 2025

What is CVE-2025-49590?

CryptPad is a collaboration suite that had a vulnerability in its 'Link Bouncer' functionality prior to version 2025.3.0. This issue allows attackers to bypass the JavaScript URI filtering intended to prevent Cross-Site Scripting (XSS) attacks. An issue is present in the early execution path of the code that does not properly validate the URI's protocol or scheme, enabling a maliciously crafted URI to evade detection. Users should upgrade to version 2025.3.0 to mitigate this security risk.

Affected Version(s)

cryptpad < 2025.3.0

References

https://github.com/cryptpad/cryptpad/security/advisories/...

x_refsource_CONFIRM

https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a...

x_refsource_MISC

https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a...

x_refsource_MISC

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Jun 6, 2025

Cryptpad

What is CVE-2025-49590?

Affected Version(s)

References

CVSS V4

Timeline