CVE-2025-8349
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8349
EUVD
EUVD-2025-35044
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tawk tawk_live_chat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Tawk Live Chat. An attacker can upload a malicious PDF containing JavaScript through the chatbot. This PDF is stored and later shown to other users without proper sanitization, allowing the malicious JavaScript to run in their browsers. [1]

Impact Analysis

The vulnerability can be exploited to steal sensitive user data such as session cookies or to perform unauthorized actions on behalf of the user, potentially compromising user accounts and data integrity. [1]

Detection Guidance

Detection of this vulnerability involves monitoring for malicious PDF uploads containing JavaScript payloads through the Tawk Live Chat chatbot interface. Since the vulnerability is a stored XSS via uploaded PDFs, you can inspect uploaded files for embedded JavaScript. Commands to detect suspicious PDFs could include using tools like 'pdfid' or 'pdf-parser' to analyze PDFs for JavaScript content. For example, running 'pdfid suspicious.pdf' or 'pdf-parser --search JavaScript suspicious.pdf' on uploaded files. Additionally, monitoring web server logs for unusual POST requests to the chatbot upload endpoint may help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability to upload PDFs through the chatbot interface until a patch or fix is available. Implement input validation and sanitization to prevent uploading files containing JavaScript payloads. Additionally, monitor and review uploaded files for malicious content and consider applying web application firewall (WAF) rules to block suspicious uploads or script execution. Inform users about the risk and encourage caution when interacting with uploaded files. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart