CVE-2025-65203
Credential Exfiltration via Autofill Vulnerability in KeePassXC-Browser
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keepassxc | browser | 1.9.9.3 |
| keepassxc | browser | 1.9.9.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-353 | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65203 is a security vulnerability in KeePassXC-Browser versions up to 1.9.9.2 where the extension autofills or prompts users to fill stored credentials into documents rendered inside sandboxed iframes or documents with a browser-enforced Content Security Policy (CSP) 'sandbox' directive. These sandbox mechanisms set the origin of the iframe or page to null to isolate and restrict privileges, preventing untrusted content from accessing sensitive data. However, KeePassXC-Browser fails to recognize these sandboxed contexts properly and allows autofilling or prompting for credentials, which enables attacker-controlled scripts within the sandboxed document to access and exfiltrate the filled credentials. The vulnerability arises from not checking if the page is sandboxed (i.e., if self.origin is null) before autofilling credentials. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and exfiltration of your stored credentials by attacker-controlled scripts running in sandboxed iframes or documents. Since the extension autofills or prompts to fill credentials in these restricted contexts, attackers can exploit this to steal sensitive login information, potentially compromising your accounts and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if KeePassXC-Browser autofills or prompts to fill stored credentials into documents rendered within sandboxed iframes or documents with a browser-enforced Content Security Policy (CSP) sandbox directive. Since sandboxed iframes have their self.origin property set to null, you can detect potentially vulnerable contexts by inspecting iframe elements in your browser developer tools and verifying if they have the sandbox attribute and if their origin is null. There are no specific commands provided in the resources for detection on a network or system level. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating KeePassXC-Browser to version 1.9.9.3 or later, which contains the patch that prevents autofilling credentials into sandboxed iframes or documents where self.origin is null. Until the update is applied, avoid using KeePassXC-Browser in environments where sandboxed iframes or CSP sandbox directives are used, or disable autofill prompts in such contexts if possible. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attacker-controlled scripts in sandboxed documents to access and exfiltrate stored credentials autofilled by KeePassXC-Browser. Such unauthorized access and potential leakage of sensitive credential data could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure. Therefore, the vulnerability negatively impacts compliance by exposing sensitive user credentials to attackers. [1, 2]