Platform
other
Component
affine
Fixed in
0.24.1
0.24.2
A cross-site scripting (XSS) vulnerability has been identified in AFFiNE versions 0.24.0 through 0.24.1. This flaw resides within the Avatar Upload Image Endpoint, allowing attackers to inject malicious scripts. Successful exploitation could lead to session hijacking, data theft, or defacement of the application. The vulnerability is fixed in version 0.24.2.
The XSS vulnerability in AFFiNE's Avatar Upload Image Endpoint allows an attacker to inject arbitrary JavaScript code into a user's browser. This can be achieved by crafting a malicious image upload that contains a JavaScript payload. When a user views the uploaded image, the injected script executes, potentially granting the attacker access to sensitive information such as cookies, session tokens, or even the ability to perform actions on behalf of the user. The impact is amplified if the application is used in a sensitive context, such as handling personal or financial data. Given the publicly available exploit, the risk of exploitation is significant.
A public proof-of-concept exploit for CVE-2025-11945 is available, indicating a high likelihood of exploitation. The vulnerability was disclosed on 2025-10-19. The vendor was contacted but did not respond. The LOW CVSS score reflects the relatively limited impact and potential for exploitation, but the availability of a PoC significantly increases the risk.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11945 is to upgrade AFFiNE to version 0.24.2 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Avatar Upload Image Endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and restrict file upload permissions to prevent unauthorized file types from being uploaded. After upgrading, confirm the fix by attempting to upload a test image containing a simple JavaScript payload and verifying that it is properly sanitized and does not execute.
Update AFFiNE to a version later than 0.24.1 that contains the fix for the XSS vulnerability in the avatar upload endpoint. Consult the release notes or the vendor's website for more details about the update and additional security measures.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11945 is a cross-site scripting (XSS) vulnerability affecting the Avatar Upload Image Endpoint in AFFiNE versions 0.24.0–0.24.1, allowing attackers to inject malicious scripts.
Yes, if you are using AFFiNE versions 0.24.0 or 0.24.1, you are vulnerable to this XSS attack.
Upgrade AFFiNE to version 0.24.2 or later to resolve this vulnerability. Consider input validation as a temporary workaround.
Due to the availability of a public proof-of-concept, there is a high probability that CVE-2025-11945 is being actively exploited.
Please refer to the AFFiNE project's official website or communication channels for the advisory related to CVE-2025-11945.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.