Platform
other
Component
affine
Opgelost in
0.24.1
0.24.2
A cross-site scripting (XSS) vulnerability has been identified in AFFiNE versions 0.24.0 through 0.24.1. This flaw resides within the Avatar Upload Image Endpoint, allowing attackers to inject malicious scripts. Successful exploitation could lead to session hijacking, data theft, or defacement of the application. The vulnerability is fixed in version 0.24.2.
The XSS vulnerability in AFFiNE's Avatar Upload Image Endpoint allows an attacker to inject arbitrary JavaScript code into a user's browser. This can be achieved by crafting a malicious image upload that contains a JavaScript payload. When a user views the uploaded image, the injected script executes, potentially granting the attacker access to sensitive information such as cookies, session tokens, or even the ability to perform actions on behalf of the user. The impact is amplified if the application is used in a sensitive context, such as handling personal or financial data. Given the publicly available exploit, the risk of exploitation is significant.
A public proof-of-concept exploit for CVE-2025-11945 is available, indicating a high likelihood of exploitation. The vulnerability was disclosed on 2025-10-19. The vendor was contacted but did not respond. The LOW CVSS score reflects the relatively limited impact and potential for exploitation, but the availability of a PoC significantly increases the risk.
AFFiNE deployments using versions 0.24.0 and 0.24.1 are at risk, particularly those handling user-uploaded content. Shared hosting environments where AFFiNE is installed alongside other applications are also vulnerable, as a compromised AFFiNE instance could potentially be used to attack other tenants.
disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-11945 is to upgrade AFFiNE to version 0.24.2 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Avatar Upload Image Endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and restrict file upload permissions to prevent unauthorized file types from being uploaded. After upgrading, confirm the fix by attempting to upload a test image containing a simple JavaScript payload and verifying that it is properly sanitized and does not execute.
Actualice AFFiNE a una versión posterior a 0.24.1 que contenga la corrección para la vulnerabilidad XSS en el endpoint de carga de avatares. Consulte las notas de la versión o el sitio web del proveedor para obtener más detalles sobre la actualización y las medidas de seguridad adicionales.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-11945 is a cross-site scripting (XSS) vulnerability affecting the Avatar Upload Image Endpoint in AFFiNE versions 0.24.0–0.24.1, allowing attackers to inject malicious scripts.
Yes, if you are using AFFiNE versions 0.24.0 or 0.24.1, you are vulnerable to this XSS attack.
Upgrade AFFiNE to version 0.24.2 or later to resolve this vulnerability. Consider input validation as a temporary workaround.
Due to the availability of a public proof-of-concept, there is a high probability that CVE-2025-11945 is being actively exploited.
Please refer to the AFFiNE project's official website or communication channels for the advisory related to CVE-2025-11945.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.