Platform
nodejs
Component
hedgedoc
Fixed in
1.10.5
CVE-2025-66629 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting HedgeDoc, an open-source collaborative markdown notes application. This flaw allows attackers to potentially trigger unintended actions within a user's HedgeDoc account through crafted requests. The vulnerability impacts versions of HedgeDoc prior to 1.10.4 and has been resolved in version 1.10.4.
The CSRF vulnerability in HedgeDoc allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is authenticated and visits a malicious website or clicks a crafted link, the attacker can potentially perform actions on their behalf, such as modifying notes or changing account settings. The impact is limited to actions that can be performed through the vulnerable OAuth2 endpoints for social login providers like Google, GitHub, GitLab, Facebook, and Dropbox. While the CVSS score is LOW, successful exploitation could lead to unauthorized data modification or account compromise, particularly if users have sensitive information stored within HedgeDoc.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is currently considered low.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66629 is to upgrade HedgeDoc to version 1.10.4 or later. This version includes a fix that properly implements CSRF protection for the affected OAuth2 endpoints. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which HedgeDoc can load resources. Additionally, educate users about the risks of clicking suspicious links and visiting untrusted websites. After upgrading, verify the fix by attempting to trigger a CSRF request through a known vulnerable endpoint and confirming that the request is blocked.
Update HedgeDoc to version 1.10.4 or higher. This version fixes the CSRF vulnerability in OAuth2 flows by implementing 'state' parameter validation. The update can be performed through the package manager or by following the upgrade instructions provided by HedgeDoc.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66629 is a Cross-Site Request Forgery (CSRF) vulnerability in HedgeDoc versions prior to 1.10.4, allowing attackers to perform actions as authenticated users via social login.
You are affected if you are using HedgeDoc version 1.10.4 or earlier. Upgrade to 1.10.4 to resolve the vulnerability.
Upgrade HedgeDoc to version 1.10.4 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
There are currently no known public exploits or confirmed active exploitation campaigns related to CVE-2025-66629.
Refer to the HedgeDoc release notes and security advisories on their official website or GitHub repository for details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.