CVE-2025-50183
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-06-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the OpenList Frontend application affecting versions up to 4.0.0-rc.3. It occurs in the file preview/browsing feature where files with a .py extension containing JavaScript code wrapped in <script> tags are improperly interpreted and executed as HTML. This allows an attacker to execute arbitrary JavaScript in the victim's browser when the victim views such a file in preview or browsing mode. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in your browser when you view a specially crafted .py file in the OpenList preview feature. The impact includes high confidentiality risk as attackers can access user cookies, login states, localStorage, and potentially sensitive files accessible to certain users. However, it does not affect integrity or availability. User interaction is required to trigger the attack, and no special permissions are needed if public or visitor access is enabled. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your OpenList Frontend version is at or below 4.0.0-rc.3 and if the file preview/browsing feature allows rendering of .py files containing <script> tags as HTML. A practical detection method is to upload a test .py file containing a harmless script such as <script>alert(document.cookie);</script> and then preview it in the application to see if the script executes. There are no specific network commands provided, but checking the application version and testing file preview behavior is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the OpenList Frontend to version 4.0.0-rc.4 or later where the vulnerability is patched. Additionally, disable any rendering modes that interpret user-uploaded content as HTML, and treat all previewed file types, including .py files, as plain text unless explicitly sanitized to prevent script execution. [2, 1]