CVE-2025-8349
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-8349, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-07-06
AI Q&A
2025-10-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tawk tawk_live_chat *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Tawk Live Chat. An attacker can upload a malicious PDF containing JavaScript through the chatbot. This PDF is stored and later shown to other users without proper sanitization, allowing the malicious JavaScript to run in their browsers. [1]

Impact Analysis

The vulnerability can be exploited to steal sensitive user data such as session cookies or to perform unauthorized actions on behalf of the user, potentially compromising user accounts and data integrity. [1]

Detection Guidance

Detection of this vulnerability involves monitoring for malicious PDF uploads containing JavaScript payloads through the Tawk Live Chat chatbot interface. Since the vulnerability is a stored XSS via uploaded PDFs, you can inspect uploaded files for embedded JavaScript. Commands to detect suspicious PDFs could include using tools like 'pdfid' or 'pdf-parser' to analyze PDFs for JavaScript content. For example, running 'pdfid suspicious.pdf' or 'pdf-parser --search JavaScript suspicious.pdf' on uploaded files. Additionally, monitoring web server logs for unusual POST requests to the chatbot upload endpoint may help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability to upload PDFs through the chatbot interface until a patch or fix is available. Implement input validation and sanitization to prevent uploading files containing JavaScript payloads. Additionally, monitor and review uploaded files for malicious content and consider applying web application firewall (WAF) rules to block suspicious uploads or script execution. Inform users about the risk and encourage caution when interacting with uploaded files. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart