2.2.5
A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-54117) has been identified in NamelessMC, a popular website software for Minecraft servers. This flaw allows authenticated attackers to inject malicious web scripts or HTML into the dashboard, potentially leading to account takeover or defacement. The vulnerability affects versions of NamelessMC prior to 2.2.3, with a fix available in version 2.2.4.
Successful exploitation of CVE-2025-54117 allows an attacker with authenticated access to the NamelessMC dashboard to inject arbitrary JavaScript code. This code can then be executed in the context of other users accessing the dashboard, potentially leading to session hijacking, credential theft, or the injection of malicious content onto the Minecraft server website. The impact is particularly severe as the dashboard often contains sensitive information related to server configuration and user accounts. Attackers could also leverage this vulnerability to redirect users to phishing sites or install malware.
CVE-2025-54117 was publicly disclosed on 2025-08-18. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation. The vulnerability's criticality (CVSS 9.1) indicates a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV.
Minecraft server administrators using NamelessMC versions prior to 2.2.4 are at direct risk. Shared hosting environments where multiple Minecraft servers share the same NamelessMC installation are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others. Users who have not implemented robust password policies or multi-factor authentication are also at increased risk.
• wordpress / composer / npm:
grep -r "<script>" /var/www/namelessmc/cache/*
grep -r "<img src="javascript:" /var/www/namelessmc/cache/*• generic web:
curl -I https://your-namelessmc-site.com/dashboard/ | grep -i 'content-security-policy'disclosure
漏洞利用状态
EPSS
0.04% (12% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-54117 is to immediately upgrade NamelessMC to version 2.2.4 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding within the dashboard text editor to sanitize user-supplied content. While not a complete solution, this can reduce the attack surface. Review dashboard access controls to limit the number of users with administrative privileges. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the dashboard text editor; it should be properly sanitized and not execute.
将 NamelessMC 更新到 2.2.4 或更高版本。此版本包含 XSS 漏洞的修复。可以通过管理面板或下载最新版本的软件进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-54117 is a critical Cross-Site Scripting (XSS) vulnerability affecting NamelessMC versions before 2.2.4. It allows attackers to inject malicious scripts into the dashboard.
You are affected if you are using NamelessMC version 2.2.4 or earlier. Check your version and upgrade immediately.
Upgrade NamelessMC to version 2.2.4 or later. If immediate upgrade is not possible, implement input validation and output encoding in the dashboard text editor.
While no public exploits are currently known, the high severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official NamelessMC website and security announcements for the latest information and advisory regarding CVE-2025-54117.