Cross-Site Scripting Vulnerability in Promptcraft Forge Studio by Marcelo Tessaro
CVE-2025-58361

9.3CRITICAL

Key Information:

Vendor

Marcelotessaro

Status
Promptcraft-forge-studio
Vendor
CVE Published:
4 September 2025

What is CVE-2025-58361?

Promptcraft Forge Studio, a toolkit designed for evaluating and maintaining LLM-powered applications, contains a security flaw that allows Cross-Site Scripting (XSS) attacks due to inadequate URL validation. The existing check in src/utils/validation.ts is insufficient, as it only filters out a limited set of patterns, failing to sanitize 'data:' URLs (e.g., data:image/svg+xml,…) effectively. This weakness allows user-controlled URLs to pass through unchecked, permitting an attacker to execute malicious scripts if a sanitized value is incorporated into href/src attributes. Currently, there is no fix available for this vulnerability.

Affected Version(s)

promptcraft-forge-studio >= 0

References

https://github.com/MarceloTessaro/promptcraft-forge-studi...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.