CVE-2025-59430
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meshconnect | web_link_sdk | 3.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in the Mesh Connect JS SDK's createLink.openLink function. Before version 3.3.2, the function did not properly validate the protocol of URLs it processed. An attacker could supply a specially crafted base64-encoded URL using the "javascript:" protocol, which would execute arbitrary JavaScript code within the context of the parent page. This allows the attacker to access and manipulate the parent page's DOM, storage, session, and cookies. Additionally, if the attacker specifies a customIframeId, they can hijack existing iframes by changing their source. The vulnerability was fixed by adding strict validation to ensure only URLs starting with "http://" or "https://" are accepted, blocking malicious payloads. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of JavaScript code within the parent page, leading to potential theft or manipulation of sensitive data such as cookies, session information, and DOM elements. In contexts like wallets, it could result in exposure of private keys or unauthorized transaction manipulation, potentially causing financial loss. The attacker can also hijack existing iframes to further exploit the application. Overall, it compromises the integrity and confidentiality of the affected application. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting usage of the createLink.openLink function in the @meshconnect/web-link-sdk package, specifically checking if base64-encoded URLs are decoded and assigned to iframe src attributes without proper protocol validation. To detect potential exploitation, monitor for iframe src attributes containing non-http(s) protocols such as "javascript:". Network or system detection could involve searching logs or network traffic for base64-encoded payloads that decode to URLs starting with "javascript:" or other suspicious protocols. Since this is a client-side JavaScript vulnerability, commands could include searching your codebase or runtime environment for usage of createLink.openLink with unvalidated URLs. For example, using grep or similar tools to find calls to createLink.openLink or iframe src assignments with base64-decoded URLs. However, no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the @meshconnect/web-link-sdk package to version 3.3.2 or later, where the vulnerability is fixed. The fix includes strict validation of the decoded link token to ensure it starts only with "http://" or "https://" protocols, preventing execution of arbitrary JavaScript code. Additionally, the patched version triggers an onExit callback with an error message if an invalid link token is detected, blocking malicious URLs from opening. Applying this update will prevent exploitation of the XSS vulnerability in the createLink.openLink function. [1, 3]