Plateforme
javascript
Composant
stage-ui
Corrigé dans
0.7.3
CVE-2025-59053 describes a critical cross-site scripting (XSS) vulnerability discovered in the AIRI Stage UI component. This flaw allows attackers to inject malicious HTML and JavaScript code into card files, which are then processed and rendered directly in the user's browser, potentially leading to account takeover or data theft. The vulnerability affects versions 0.7.2-beta.2 and earlier, and a patch is available in version 0.7.2-beta.3.
An attacker can exploit this XSS vulnerability by crafting a malicious card file containing JavaScript or HTML payloads. When a user processes this card file through the AIRI Stage UI, the injected code will be executed within the user's browser context. This can lead to a variety of attacks, including session hijacking, credential theft, redirection to phishing sites, and defacement of the user interface. The impact is particularly severe as the vulnerability allows for arbitrary client-side code execution, granting the attacker a high degree of control over the affected user's session. This vulnerability shares similarities with other XSS vulnerabilities where unsanitized user input is directly rendered into the DOM.
CVE-2025-59053 was publicly disclosed on 2025-09-11. No known active exploitation campaigns have been reported at the time of writing. There are currently no public proof-of-concept exploits available, but the vulnerability's nature makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog.
Self-hosted AIRI deployments running versions 0.7.2-beta.2 or earlier are at immediate risk. Users who process card files from untrusted sources are particularly vulnerable. Shared hosting environments where multiple users share the same AIRI instance could experience widespread impact if one user is compromised.
• javascript / web: Examine card files for suspicious HTML or JavaScript code. Use browser developer tools to inspect the DOM for unexpected script tags or event handlers. • javascript / web: Monitor network traffic for requests containing unusual parameters or payloads. • javascript / web: Review AIRI Stage UI logs for errors or anomalies related to Markdown processing. • javascript / web: Use a static code analysis tool to scan the codebase for potential XSS vulnerabilities.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-59053 is to immediately upgrade to version 0.7.2-beta.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output sanitization on the Markdown content before rendering it in the UI. While not a complete solution, this can help reduce the attack surface. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious HTML or JavaScript payloads. Regularly scan your AIRI Stage UI deployment for vulnerabilities using automated security tools.
Actualice AIRI a la versión 0.7.2-beta.3 o posterior. Esta versión corrige la vulnerabilidad XSS y la posibilidad de ejecución remota de código. La actualización mitiga el riesgo de que un atacante ejecute código malicioso en su sistema.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-59053 is a critical XSS vulnerability in AIRI Stage UI versions 0.7.2-beta.2 and prior, allowing attackers to inject malicious code via card files.
You are affected if you are running AIRI Stage UI version 0.7.2-beta.2 or earlier and process card files from untrusted sources.
Upgrade to version 0.7.2-beta.3 or later to resolve the vulnerability. Consider input validation and WAF rules as temporary mitigations.
No active exploitation campaigns have been reported, but the vulnerability's nature makes exploitation likely.
Refer to the official AIRI project documentation and security advisories for the latest information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.