CVE-2025-66629
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66629
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hedgedoc hedgedoc to 1.10.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability involves missing CSRF protection in OAuth2 authentication flows, which could potentially lead to unauthorized access or data exposure, but no explicit connection to compliance impacts is described.

Detection Guidance

To detect this vulnerability, you can monitor OAuth2 callback requests to HedgeDoc's social login endpoints (e.g., /auth/gitlab/callback, /auth/github/callback) and check if the 'state' parameter is missing in the query string. For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to these endpoints and inspect the parameters. A sample tcpdump command to capture HTTP traffic to the server on port 80 is: tcpdump -i any -A 'tcp port 80 and (((ip dst <hedgedoc_server_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420))' and then look for requests to /auth/*/callback without a 'state' parameter. Alternatively, using curl or wget to simulate OAuth2 callback requests without the 'state' parameter and observing the server response can help confirm if the vulnerability exists. Note that the vulnerability is fixed in HedgeDoc version 1.10.4 and later, so verifying the installed version is also important. [1]

Executive Summary

This vulnerability in HedgeDoc affects some OAuth2 endpoints used for social login providers like Google, GitHub, GitLab, Facebook, or Dropbox. Prior to version 1.10.4, these endpoints lack CSRF (Cross-Site Request Forgery) protection because they do not send or verify a state parameter in the OAuth2 authentication flow. This missing verification can allow attackers to perform unauthorized actions by exploiting the OAuth2 login process. The issue is fixed in version 1.10.4.

Impact Analysis

This vulnerability can allow attackers to perform Cross-Site Request Forgery attacks on the OAuth2 login process, potentially leading to unauthorized access or actions within the HedgeDoc application. The impact includes limited confidentiality and integrity risks, as indicated by the CVSS score, meaning attackers might trick users into unintended actions or gain limited access through social login endpoints.

Mitigation Strategies

Upgrade HedgeDoc to version 1.10.4 or later, as this version fixes the OAuth2 endpoints by adding proper CSRF protection using the state parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66629. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart