Plattform
nodejs
Komponente
hedgedoc
Behoben in
1.10.5
CVE-2025-66629 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting HedgeDoc, an open-source collaborative markdown notes application. This flaw allows attackers to potentially trigger unintended actions within a user's HedgeDoc account through crafted requests. The vulnerability impacts versions of HedgeDoc prior to 1.10.4 and has been resolved in version 1.10.4.
The CSRF vulnerability in HedgeDoc allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is authenticated and visits a malicious website or clicks a crafted link, the attacker can potentially perform actions on their behalf, such as modifying notes or changing account settings. The impact is limited to actions that can be performed through the vulnerable OAuth2 endpoints for social login providers like Google, GitHub, GitLab, Facebook, and Dropbox. While the CVSS score is LOW, successful exploitation could lead to unauthorized data modification or account compromise, particularly if users have sensitive information stored within HedgeDoc.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is currently considered low.
Organizations and individuals using HedgeDoc versions prior to 1.10.4, particularly those relying on social login providers for authentication, are at risk. Shared hosting environments where multiple users share the same HedgeDoc instance are also potentially more vulnerable, as a compromised user could impact other users on the same server.
• nodejs / server:
grep -r 'OAuth2' /path/to/hedgedoc/source• generic web:
curl -I https://your-hedgedoc-instance/oauth2/google/callback # Check for missing state parameterdisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66629 is to upgrade HedgeDoc to version 1.10.4 or later. This version includes a fix that properly implements CSRF protection for the affected OAuth2 endpoints. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which HedgeDoc can load resources. Additionally, educate users about the risks of clicking suspicious links and visiting untrusted websites. After upgrading, verify the fix by attempting to trigger a CSRF request through a known vulnerable endpoint and confirming that the request is blocked.
Aktualisieren Sie HedgeDoc auf Version 1.10.4 oder höher. Diese Version behebt die CSRF-Schwachstelle in OAuth2-Flüssen durch die Implementierung der Validierung des 'state'-Parameters. Das Update kann über den Paketmanager oder gemäß den von HedgeDoc bereitgestellten Update-Anweisungen durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66629 is a Cross-Site Request Forgery (CSRF) vulnerability in HedgeDoc versions prior to 1.10.4, allowing attackers to perform actions as authenticated users via social login.
You are affected if you are using HedgeDoc version 1.10.4 or earlier. Upgrade to 1.10.4 to resolve the vulnerability.
Upgrade HedgeDoc to version 1.10.4 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
There are currently no known public exploits or confirmed active exploitation campaigns related to CVE-2025-66629.
Refer to the HedgeDoc release notes and security advisories on their official website or GitHub repository for details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.