Cross-Site Scripting Vulnerability in Mist Community Edition Authentication Endpoint
CVE-2025-5412

5.1MEDIUM

Key Information:

Vendor

Mist

Status
Community Edition
Vendor
CVE Published:
2 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5412?

A vulnerability has been discovered in Mist Community Edition versions up to 4.7.1 affecting the Authentication Endpoint. An issue in the 'Login' function of the src/mist/api/views.py file allows an attacker to manipulate the 'return_to' parameter, potentially enabling cross-site scripting attacks. This vulnerability can be exploited remotely, posing significant risks as the exploit has been disclosed publicly. To mitigate this risk, users are advised to upgrade to version 4.7.2, which includes a patch identified by the commit db10ecb62ac832c1ed4924556d167efb9bc07fad.

Affected Version(s)

Community Edition 4.7.0

Community Edition 4.7.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5412 - Proof of Concept

References

https://vuldb.com/?id.310752
vdb-entrytechnical-description
https://vuldb.com/?ctiid.310752
signaturepermissions-required
https://vuldb.com/?submit.583534
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

Credit

Alex Perrakis
Efstratios Chatzoglou
Georgios Kambourakis
alexperrakis (VulDB User)
.