Reflected XSS Vulnerability in ONLYOFFICE Docs DocumentServer
CVE-2025-5301

6.1MEDIUM

Key Information:

Vendor: Onlyoffice
Status: Docs (documentserver)
Vendor: CVE Published:; 12 June 2025

What is CVE-2025-5301?

ONLYOFFICE Docs (DocumentServer), specifically versions equal to or below 8.3.1, are susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. This issue arises when files are accessed through the WOPI protocol, allowing attackers to craft malicious HTTP POST requests. These harmful scripts can be injected and subsequently reflected within the server's HTML response, potentially compromising the safety of users interacting with the web application.

Affected Version(s)

Docs (DocumentServer) <=8.3.1

References

https://r.sec-consult.com/onlyoffice

third-party-advisory

https://github.com/ONLYOFFICE/DocumentServer/blob/master/...

release-notes

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2025
Vulnerability Reserved
May 28, 2025

Credit

Max Rull, SEC Consult Vulnerability Lab