JavaScript Code Execution Vulnerability in Mesh Connect JS SDK
CVE-2025-59430

8.2HIGH

Key Information:

Vendor: Frontfin
Status: Mesh-web-sdk
Vendor: CVE Published:; 22 September 2025

What is CVE-2025-59430?

The Mesh Connect JS SDK prior to version 3.3.2 has a significant vulnerability due to insufficient sanitization of URL protocols in the createLink.openLink function. This flaw permits attackers to execute arbitrary JavaScript code in the context of the parent page, effectively allowing them to manipulate the DOM, access local storage, sessions, and cookies. Moreover, if an attacker gains control over the customIframeId, they can hijack existing iframe sources. It's crucial for users to update to version 3.3.2 or later to mitigate this security risk.

Affected Version(s)

mesh-web-sdk < 3.3.2

References

https://github.com/FrontFin/mesh-web-sdk/security/advisor...

x_refsource_CONFIRM

https://github.com/FrontFin/mesh-web-sdk/pull/124

x_refsource_MISC

https://github.com/FrontFin/mesh-web-sdk/commit/7f2214851...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Sep 15, 2025

Frontfin

What is CVE-2025-59430?

Affected Version(s)

References

CVSS V3.1

Timeline