CVE-2025-47943
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47943 is a stored Cross-Site Scripting (XSS) vulnerability in the Gogs Git service, specifically in its PDF renderer component. It arises from the use of an outdated and vulnerable pdfjs library (version 1.4.20) under public/plugins/. An attacker can upload a malicious PDF file that contains JavaScript code, which executes in the context of the victim's browser when the file is previewed within Gogs. This allows arbitrary client-side JavaScript execution. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data (high confidentiality impact) because the attacker can execute arbitrary JavaScript in the victim's browser. This could allow theft of session tokens, credentials, or other private information. The attack requires some privileges to upload files and user interaction to preview the malicious PDF. The integrity impact is low, and there is no impact on availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Gogs installation includes the vulnerable pdfjs-1.4.20 plugin under the public/plugins/ directory. You can look for the presence of the pdf.js and pdf.worker.js files or the entire pdfjs plugin folder. Additionally, detection can involve attempting to upload and preview a crafted PDF file containing the XSS payload as described in the PoC. For example, on a Linux system, you can run commands like 'find /path/to/gogs/public/plugins/ -name "pdf.js"' or 'ls /path/to/gogs/public/plugins/pdfjs-1.4.20' to verify the presence of the vulnerable component. There are no specific network detection commands provided. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, remove the vulnerable pdfjs-1.4.20 plugin from your Gogs installation, specifically deleting the entire PDF.js plugin folder and related files such as pdf.js and pdf.worker.js under public/plugins/. This removal eliminates the vulnerable PDF rendering functionality and prevents the stored XSS attack. Since no patched versions are currently available, removing the vulnerable component is the recommended mitigation step. [1]