CVE-2025-65203
Unknown Unknown - Not Provided
Credential Exfiltration via Autofill Vulnerability in KeePassXC-Browser

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: MITRE

Description
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65203
EUVD
EUVD-2025-203910
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
keepassxc browser 1.9.9.3
keepassxc browser 1.9.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CWE-353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65203 is a security vulnerability in KeePassXC-Browser versions up to 1.9.9.2 where the extension autofills or prompts users to fill stored credentials into documents rendered inside sandboxed iframes or documents with a browser-enforced Content Security Policy (CSP) 'sandbox' directive. These sandbox mechanisms set the origin of the iframe or page to null to isolate and restrict privileges, preventing untrusted content from accessing sensitive data. However, KeePassXC-Browser fails to recognize these sandboxed contexts properly and allows autofilling or prompting for credentials, which enables attacker-controlled scripts within the sandboxed document to access and exfiltrate the filled credentials. The vulnerability arises from not checking if the page is sandboxed (i.e., if self.origin is null) before autofilling credentials. [1]

Impact Analysis

This vulnerability can lead to unauthorized access and exfiltration of your stored credentials by attacker-controlled scripts running in sandboxed iframes or documents. Since the extension autofills or prompts to fill credentials in these restricted contexts, attackers can exploit this to steal sensitive login information, potentially compromising your accounts and security. [1]

Detection Guidance

This vulnerability can be detected by checking if KeePassXC-Browser autofills or prompts to fill stored credentials into documents rendered within sandboxed iframes or documents with a browser-enforced Content Security Policy (CSP) sandbox directive. Since sandboxed iframes have their self.origin property set to null, you can detect potentially vulnerable contexts by inspecting iframe elements in your browser developer tools and verifying if they have the sandbox attribute and if their origin is null. There are no specific commands provided in the resources for detection on a network or system level. [1]

Mitigation Strategies

Immediate mitigation steps include updating KeePassXC-Browser to version 1.9.9.3 or later, which contains the patch that prevents autofilling credentials into sandboxed iframes or documents where self.origin is null. Until the update is applied, avoid using KeePassXC-Browser in environments where sandboxed iframes or CSP sandbox directives are used, or disable autofill prompts in such contexts if possible. [2]

Compliance Impact

This vulnerability allows attacker-controlled scripts in sandboxed documents to access and exfiltrate stored credentials autofilled by KeePassXC-Browser. Such unauthorized access and potential leakage of sensitive credential data could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure. Therefore, the vulnerability negatively impacts compliance by exposing sensitive user credentials to attackers. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart