CVE-2025-66629
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hedgedoc | hedgedoc | to 1.10.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability involves missing CSRF protection in OAuth2 authentication flows, which could potentially lead to unauthorized access or data exposure, but no explicit connection to compliance impacts is described.
Can you explain this vulnerability to me?
This vulnerability in HedgeDoc affects some OAuth2 endpoints used for social login providers like Google, GitHub, GitLab, Facebook, or Dropbox. Prior to version 1.10.4, these endpoints lack CSRF (Cross-Site Request Forgery) protection because they do not send or verify a state parameter in the OAuth2 authentication flow. This missing verification can allow attackers to perform unauthorized actions by exploiting the OAuth2 login process. The issue is fixed in version 1.10.4.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform Cross-Site Request Forgery attacks on the OAuth2 login process, potentially leading to unauthorized access or actions within the HedgeDoc application. The impact includes limited confidentiality and integrity risks, as indicated by the CVSS score, meaning attackers might trick users into unintended actions or gain limited access through social login endpoints.
What immediate steps should I take to mitigate this vulnerability?
Upgrade HedgeDoc to version 1.10.4 or later, as this version fixes the OAuth2 endpoints by adding proper CSRF protection using the state parameter.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can monitor OAuth2 callback requests to HedgeDoc's social login endpoints (e.g., /auth/gitlab/callback, /auth/github/callback) and check if the 'state' parameter is missing in the query string. For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to these endpoints and inspect the parameters. A sample tcpdump command to capture HTTP traffic to the server on port 80 is: tcpdump -i any -A 'tcp port 80 and (((ip dst <hedgedoc_server_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420))' and then look for requests to /auth/*/callback without a 'state' parameter. Alternatively, using curl or wget to simulate OAuth2 callback requests without the 'state' parameter and observing the server response can help confirm if the vulnerability exists. Note that the vulnerability is fixed in HedgeDoc version 1.10.4 and later, so verifying the installed version is also important. [1]