Monkeytype vulnerable to stored XSS in approve quotes page
CVE-2025-66563

7.1HIGH

Key Information:

Vendor: Monkeytypegame
Status: Monkeytype
Vendor: CVE Published:; 4 December 2025

🔔 Create Monkeytypegame Vulnerability Alert

What is CVE-2025-66563?

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

Affected Version(s)

monkeytype <= 25.49.0

References

https://github.com/monkeytypegame/monkeytype/security/adv...

x_refsource_CONFIRM

https://github.com/monkeytypegame/monkeytype/commit/d6d06...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Dec 4, 2025

JSON