CVE-2025-59838
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-10-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monkeytype | monkeytype | to 25.36.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Monkeytype versions 25.36.0 and prior is a cross-site scripting (XSS) issue caused by improper handling of user input when loading a saved custom text. This means that malicious scripts could be injected and executed in the context of the application.
How can this vulnerability impact me? :
The XSS vulnerability could allow an attacker to execute malicious scripts in your browser when using Monkeytype, potentially leading to unauthorized actions, data theft, or session hijacking within the application.
What immediate steps should I take to mitigate this vulnerability?
Update Monkeytype to a version later than 25.36.0 where the issue has been patched (commit f025b12). Avoid loading saved custom texts from untrusted sources until the update is applied.