CVE-2025-49126
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49126 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Visionatrix AI Media processing tool, specifically in versions 1.5.0 up to before 2.5.1. The vulnerability exists in the /docs/flows endpoint, where user-supplied input is embedded into the Swagger UI HTML page without proper encoding or sanitization. This allows an attacker to inject malicious JavaScript code that executes in the victim's browser. The injected script can take over the user's session and exfiltrate sensitive secrets stored in the application. The root cause is the use of FastAPI's get_swagger_ui_html function with user-controlled arguments that are not sanitized. The issue was fixed in version 2.5.1 by adding strict input validation and safe encoding of query parameters. [2, 1]
How can this vulnerability impact me? :
This vulnerability can lead to a full application takeover by an attacker. By exploiting the reflected XSS in the /docs/flows endpoint, an attacker can execute arbitrary JavaScript in the victim's browser, hijack user sessions, and steal sensitive secrets such as authentication tokens and API keys stored within the application. This can result in unauthorized access to confidential data and potentially further compromise of the system. The attack requires the victim to visit a maliciously crafted URL, making it a one-click attack vector. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /docs/flows endpoint for reflected XSS by injecting payloads into the 'flows' query parameter and observing if the payload executes in the Swagger UI page. For example, you can use curl or a browser to send requests with payloads such as: curl -v "http://<target>:<port>/docs/flows?flows='%2balert(document.domain)%2b'" If the alert or injected script executes when visiting the URL in a browser, the system is vulnerable. Additionally, monitoring HTTP requests to the /docs/flows endpoint with suspicious query parameters containing special characters like single quotes, plus signs, or JavaScript code can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Visionatrix to version 2.5.1 or later, where the vulnerability is fixed by strict input validation on the 'flows' parameter and proper encoding of query parameters. If upgrading is not immediately possible, restrict access to the /docs/flows endpoint to trusted users only, for example by network segmentation or authentication controls, to prevent attackers from reaching the vulnerable endpoint. Additionally, monitor and block suspicious requests containing malicious payloads targeting the 'flows' parameter. Applying these steps reduces the risk of exploitation until the patch can be applied. [1, 2]