CVE-2025-58430
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nadh | listmonk | to 1.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in listmonk involves a failure to validate a nonce token included in HTTP requests, combined with the session cookie lacking a SameSite attribute. This allows attackers to perform a chained attack using Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). Attackers can craft malicious requests that authenticated users unknowingly execute, including submitting templates with embedded JavaScript code. When an admin previews these templates, the malicious code runs in their browser, enabling the attacker to create new admin accounts and take over the application. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a complete administrative takeover of the listmonk web application. Attackers can create new admin user accounts without authorization by exploiting the chained CSRF and XSS vulnerabilities, potentially compromising all administrative functions and data within the application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring HTTP requests to the listmonk application for the presence of the 'nonce' parameter in requests alongside the 'session' cookie. Since the nonce is not validated, requests missing the nonce are processed correctly, which is unusual behavior. You can use tools like curl or browser developer tools to inspect requests. For example, use curl to send requests with and without the nonce parameter to see if the server processes them identically. Additionally, monitoring for suspicious POST requests to endpoints like '/api/templates/preview' or '/api/users' that may contain embedded JavaScript or unexpected JSON payloads can help detect exploitation attempts. Example command to test nonce behavior: curl -i -b 'session=your_session_cookie' -X POST https://your-listmonk-instance/api/templates/preview -d 'template=normal' and then repeat without the nonce parameter to compare responses. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the listmonk application to trusted networks or users, disabling or limiting the ability to create or preview templates via the '/api/templates/preview' endpoint, and monitoring for suspicious activity such as unexpected admin user creation. Since no patched versions are available, consider implementing web application firewall (WAF) rules to block CSRF and XSS attack patterns, and ensure that session cookies have the SameSite attribute set to prevent cross-origin requests from carrying authentication credentials. Additionally, educate users to avoid interacting with untrusted links or pages that could trigger CSRF attacks. [1]