CVE-2025-54117
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-08-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| namelessmc | nameless | to 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54117 is a critical stored Cross-Site Scripting (XSS) vulnerability in NamelessMC versions before 2.2.4. It allows remote authenticated attackers with low privileges to inject malicious web scripts or HTML via the dashboard text editor component, such as in user profile signatures. When a privileged user views or edits the infected content, the malicious script executes in their browser, potentially compromising the system. The vulnerability arises from improper sanitization and encoding of HTML content, which was fixed by enhancing the HTML purification process with context-aware encoding to prevent such script injections. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including unauthorized script execution in the browsers of privileged users, which can compromise the confidentiality, integrity, and availability of the NamelessMC system. Attackers can inject malicious code that executes when administrators or other privileged users view or edit infected profiles, potentially allowing attackers to steal sensitive information, manipulate data, or disrupt service. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the user settings endpoint that include script or HTML injection attempts in fields like the profile signature. For example, look for payloads containing tags such as <img src=x onerror=...> or other suspicious HTML/script content. A command to detect such attempts in web server logs could be: grep -iE '<img|<script|onerror' /path/to/access.log. Additionally, manual inspection or automated scanning of user-editable fields in the dashboard text editor for injected scripts can help identify exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NamelessMC to version 2.2.4 or later, where the vulnerability is fixed by improved HTML purification and context-aware encoding in the dashboard text editor component. Until the upgrade is applied, restrict or monitor user privileges to limit who can edit profile signatures or other editable fields, and consider applying web application firewall (WAF) rules to block suspicious script injection payloads targeting these fields. [1, 2]