Platform
zoom
Component
zoom-clients
Fixed in
6.4.5
CVE-2025-49462 describes a Cross-Site Scripting (XSS) vulnerability affecting certain Zoom Clients versions prior to 6.4.5. This vulnerability could allow an authenticated user to conduct a disclosure of information through network access. Affected versions include those from 0 up to and including 6.4.5. A fix is available in version 6.4.5.
The primary impact of this XSS vulnerability is the potential for information disclosure. An attacker, having authenticated access to a Zoom client, could inject malicious scripts that, when executed by other users, could expose sensitive data. This could include session tokens, user credentials, or other confidential information transmitted over the network. While the CVSS score is LOW, the potential for data leakage, especially within organizations heavily reliant on Zoom for communication, warrants prompt remediation. The attack vector requires authentication, limiting the immediate scope, but successful exploitation could lead to further compromise if credentials are stolen.
CVE-2025-49462 was published on 2025-07-10. There are currently no publicly known proof-of-concept exploits available. The vulnerability's LOW severity rating suggests a low probability of active exploitation, but continuous monitoring is recommended. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49462 is to upgrade Zoom Clients to version 6.4.5 or later. If immediate upgrading is not feasible due to compatibility issues or testing requirements, consider implementing stricter input validation on user-supplied data within the Zoom client application. While a direct WAF rule is unlikely to be effective for this client-side vulnerability, reviewing Zoom client configurations for any unnecessary permissions or features could reduce the attack surface. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability using known attack vectors and verifying that the client properly sanitizes input.
Update to version 6.4.5 or later of Zoom Clients. This update corrects the Cross-site Scripting (XSS) vulnerability that could allow for information disclosure. Download the latest version from the official Zoom website or through your usual update channels.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49462 is a Cross-Site Scripting (XSS) vulnerability affecting Zoom Clients versions 0–6.4.5, allowing potential information disclosure.
If you are using a Zoom Client version between 0 and 6.4.5, you are potentially affected by this XSS vulnerability.
Upgrade your Zoom Clients to version 6.4.5 or later to resolve this vulnerability.
There are currently no publicly known active exploitation campaigns for CVE-2025-49462.
Refer to the official Zoom security advisory for CVE-2025-49462 on the Zoom security website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.