CVE-2025-66025
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-11-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| caido | caido | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Caido, a web security auditing toolkit, where the Markdown renderer on the Findings page improperly handled user-supplied Markdown. This allowed attacker-controlled links to be rendered without user confirmation. When a user opened a finding generated by the scanner or other plugins, clicking these malicious links could redirect the application to an attacker-controlled domain, enabling phishing-style attacks. The issue was fixed in version 0.53.0.
How can this vulnerability impact me? :
The vulnerability can impact you by exposing users of the Caido application to phishing attacks. An attacker can inject malicious links that, when clicked, redirect users to attacker-controlled domains. This can lead to users being tricked into revealing sensitive information or performing unintended actions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Caido to version 0.53.0 or later, as this version contains the patch that fixes the improper handling of user-supplied Markdown and prevents attacker-controlled links from being rendered without confirmation.