CVE-2025-58430
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-10

Assigner: GitHub, Inc.

Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-10
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nadh listmonk to 1.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in listmonk involves a failure to validate a nonce token included in HTTP requests, combined with the session cookie lacking a SameSite attribute. This allows attackers to perform a chained attack using Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). Attackers can craft malicious requests that authenticated users unknowingly execute, including submitting templates with embedded JavaScript code. When an admin previews these templates, the malicious code runs in their browser, enabling the attacker to create new admin accounts and take over the application. [1]

Impact Analysis

The vulnerability can lead to a complete administrative takeover of the listmonk web application. Attackers can create new admin user accounts without authorization by exploiting the chained CSRF and XSS vulnerabilities, potentially compromising all administrative functions and data within the application. [1]

Detection Guidance

Detection involves monitoring HTTP requests to the listmonk application for the presence of the 'nonce' parameter in requests alongside the 'session' cookie. Since the nonce is not validated, requests missing the nonce are processed correctly, which is unusual behavior. You can use tools like curl or browser developer tools to inspect requests. For example, use curl to send requests with and without the nonce parameter to see if the server processes them identically. Additionally, monitoring for suspicious POST requests to endpoints like '/api/templates/preview' or '/api/users' that may contain embedded JavaScript or unexpected JSON payloads can help detect exploitation attempts. Example command to test nonce behavior: curl -i -b 'session=your_session_cookie' -X POST https://your-listmonk-instance/api/templates/preview -d 'template=normal' and then repeat without the nonce parameter to compare responses. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the listmonk application to trusted networks or users, disabling or limiting the ability to create or preview templates via the '/api/templates/preview' endpoint, and monitoring for suspicious activity such as unexpected admin user creation. Since no patched versions are available, consider implementing web application firewall (WAF) rules to block CSRF and XSS attack patterns, and ensure that session cookies have the SameSite attribute set to prevent cross-origin requests from carrying authentication credentials. Additionally, educate users to avoid interacting with untrusted links or pages that could trigger CSRF attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart