Plataforma
react
Componente
cba7c19a4eafcb326d0e912adf132be3
Corrigido em
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.23
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
A cross-site scripting (XSS) vulnerability has been identified in lettura, a React component, affecting versions 0.1.0 through 0.1.22. This vulnerability allows remote attackers to inject malicious scripts by manipulating the RSS Handler component. The issue stems from improper handling of data within the ContentRender.tsx file. A patch, version 0.1.23, has been released to address this security concern.
Successful exploitation of CVE-2025-15454 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application, and theft of sensitive user data. The attacker could potentially gain access to user credentials, personal information, or other confidential data stored within the application. Given the component's role in handling RSS feeds, an attacker could inject malicious scripts into these feeds, impacting all users who consume them. The public availability of the exploit increases the risk of widespread exploitation.
The exploit for CVE-2025-15454 is publicly available, indicating a higher risk of exploitation. The vulnerability's CVSS score is LOW, suggesting that exploitation may require some level of attacker skill or specific conditions. As of the publication date, there is no indication of this vulnerability being actively exploited in the wild, but the public availability of the exploit warrants immediate attention and remediation.
Applications utilizing the lettura React component in their RSS feed handling functionality are at risk. This includes websites and web applications that display RSS content, particularly those relying on external feeds. Shared hosting environments where multiple applications share the same codebase are also at increased risk, as a vulnerability in one application could potentially impact others.
• react: Inspect the src/components/ArticleView/ContentRender.tsx file for any unsanitized user input used in rendering the RSS feed. Look for patterns where data from the feed is directly inserted into the DOM without proper encoding.
// Example of potentially vulnerable code
const renderArticle = (article) => {
return <div>{article.title}</div>; // Vulnerable if article.title is not sanitized
};• generic web: Monitor access logs for unusual requests targeting the RSS feed endpoint. Look for requests containing suspicious characters or patterns commonly associated with XSS attacks.
grep -i '<script' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.01% (percentil 3%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-15454 is to upgrade to version 0.1.23 of lettura. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the RSS Handler component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Carefully review and sanitize any data received from external sources, particularly RSS feeds, to prevent malicious scripts from being injected. After upgrading, confirm the fix by attempting to inject a simple XSS payload through the RSS feed and verifying that it is properly sanitized.
Actualice la versión de lettura a la versión 0.1.23 o superior. Esto corrige la vulnerabilidad de cross-site scripting en el componente RSS Handler. La actualización se puede realizar reemplazando el archivo src/components/ArticleView/ContentRender.tsx con la versión parcheada.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-15454 is a cross-site scripting (XSS) vulnerability affecting versions 0.1.0–0.1.22 of the lettura React component, allowing remote code execution.
You are affected if your application uses lettura versions 0.1.0 through 0.1.22 and handles RSS feeds without proper input sanitization.
Upgrade to version 0.1.23 of lettura. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
While there's no confirmed active exploitation, the public availability of the exploit increases the risk of future attacks.
Refer to the project's repository or documentation for the official advisory regarding CVE-2025-15454.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.