Scan free
CRITICALCVE-2025-30223CVSS 9.3

CVE-2025-30223: XSS in Beego Go Web Framework

Platform

go

Component

github.com/beego/beego

Fixed in

2.3.7

2.3.6

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2025-30223 describes a critical Cross-Site Scripting (XSS) vulnerability affecting the Beego Go web framework. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability stems from insufficient input sanitization within the RenderForm() function. Affected versions include Beego releases prior to 2.3.6; upgrading to the latest version is the recommended remediation.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The XSS vulnerability in Beego allows attackers to execute arbitrary JavaScript code within the context of a victim's browser. This can be exploited to steal session cookies, redirect users to malicious websites, or modify the content of web pages. A successful attack could compromise sensitive user data, including credentials and personal information. The impact is particularly severe in applications that rely on Beego for rendering forms and handling user input. Given the widespread use of Go and web frameworks like Beego, this vulnerability has a potentially broad attack surface.

Exploitation Context

CVE-2025-30223 was publicly disclosed on 2025-04-01. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the ease of exploitation (reflected XSS) suggest a high probability of exploitation. No Proof-of-Concept (PoC) code has been publicly released as of this writing, but the vulnerability is likely to be targeted by automated scanners and malicious actors. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.34% (56% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgithub.com/beego/beego
Vendorosv
Affected rangeFixed in
< 2.3.6 – < 2.3.62.3.7
2.3.6

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-30223 is to upgrade to Beego version 2.3.6 or later, which includes the necessary input sanitization fixes. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the application level to sanitize user-supplied data before rendering it in forms. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns.

How to fix

Update the version of Beego to 2.3.6 or higher. This version fixes the XSS vulnerability in the RenderForm() function. Ensure you review and adapt any custom code that uses RenderForm() to ensure that user-provided data is properly escaped.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-30223 — XSS in Beego Go Web Framework?

CVE-2025-30223 is a critical XSS vulnerability in Beego versions prior to 2.3.6, allowing attackers to inject malicious scripts via unescaped user input in the RenderForm() function.

Am I affected by CVE-2025-30223 in Beego Go Web Framework?

If you are using Beego version 2.3.5 or earlier, you are affected by this vulnerability. Assess your application's usage of RenderForm() and implement mitigations if immediate upgrade is not possible.

How do I fix CVE-2025-30223 in Beego Go Web Framework?

Upgrade to Beego version 2.3.6 or later. Implement input validation and output encoding as an interim measure.

Is CVE-2025-30223 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.

Where can I find the official Beego advisory for CVE-2025-30223?

Refer to the Beego project's official website and GitHub repository for updates and security advisories related to CVE-2025-30223.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs