Web Scripting Vulnerability in Mintlify Platform
CVE-2025-67842
What is CVE-2025-67842?
CVE-2025-67842 is a web scripting vulnerability identified in the Mintlify Platform, a tool designed to streamline collaboration and documentation for teams by managing their content and resources more efficiently. This particular vulnerability arises due to the Static Asset API, which allows remote attackers to inject arbitrary web scripts or HTML code through the subdomain parameter. The flaw exists because assets from one tenant can be served on another tenant's documentation site, creating potential pathways for cross-site scripting (XSS) attacks. If successfully exploited, this vulnerability could lead to unauthorized access, exploitation of user data, or manipulation of the site’s behavior, posing serious risks to organizational integrity and user trust.
Potential Impact of CVE-2025-67842
-
Cross-Site Scripting (XSS) Attacks: Attackers can inject harmful scripts into the platform, impacting users who access compromised documentation sites. This could lead to data theft, session hijacking, or defacement of content.
-
Unauthorized Data Access: The ability to inject scripts may allow attackers to extract sensitive information from both tenants and external users, leading to significant data breaches and potential regulatory repercussions.
-
Reputation Damage: If exploited, this vulnerability could severely damage Mintlify's reputation and that of organizations using the platform, resulting in loss of user trust and potential financial consequences tied to recovery efforts and legal liabilities.
Affected Version(s)
Mintlify Platform 0 < 2025-11-15