CVE-2025-62716
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-24

Last updated on: 2025-10-27

Assigner: GitHub, Inc.

Description
Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-24
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62716
EUVD
EUVD-2025-35891
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
makeplane plane *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an open redirect issue in the Plane project management software prior to version 1.1.0. It occurs in the ?next_path query parameter, which allows attackers to supply arbitrary schemes like javascript:. These are passed directly to router.push, leading to a cross-site scripting (XSS) vulnerability. This enables attackers to execute arbitrary JavaScript code in the victim's browser without authentication.

Impact Analysis

The vulnerability can have severe impacts including information disclosure, privilege escalation, and unauthorized modifications of administrative settings. Since it allows execution of arbitrary JavaScript in the victim's browser, attackers can potentially steal sensitive data or take control of user sessions.

Mitigation Strategies

Upgrade Plane to version 1.1.0 or later, as this version contains the patch that fixes the open redirect and cross-site scripting vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62716. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart