JavaScript Code Execution Vulnerability in Mesh Connect JS SDK
CVE-2025-59430

8.2HIGH

Key Information:

Vendor

Frontfin

Status
Mesh-web-sdk
Vendor
CVE Published:
22 September 2025

What is CVE-2025-59430?

The Mesh Connect JS SDK prior to version 3.3.2 has a significant vulnerability due to insufficient sanitization of URL protocols in the createLink.openLink function. This flaw permits attackers to execute arbitrary JavaScript code in the context of the parent page, effectively allowing them to manipulate the DOM, access local storage, sessions, and cookies. Moreover, if an attacker gains control over the customIframeId, they can hijack existing iframe sources. It's crucial for users to update to version 3.3.2 or later to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mesh-web-sdk < 3.3.2

References

https://github.com/FrontFin/mesh-web-sdk/security/advisor...
x_refsource_CONFIRM
https://github.com/FrontFin/mesh-web-sdk/pull/124
x_refsource_MISC
https://github.com/FrontFin/mesh-web-sdk/commit/7f2214851...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.