CVE-2025-67842
Cross-Site Scripting in Mintlify Static Asset API via Subdomain Parameter
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mintlify | static_asset_api | * |
| mintlify | platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67842 is a cross-site scripting (XSS) vulnerability in Mintlify's Static Asset API that allows remote attackers to inject and execute arbitrary JavaScript via specially crafted SVG files uploaded to one tenant's documentation site but served on another tenant's domain. This happens because the static asset endpoint does not properly restrict access to static files by tenant subdomain, enabling attackers to host malicious SVG files containing embedded JavaScript that executes in the context of trusted domains like discord.com. This can lead to execution of arbitrary scripts, theft of user credentials, session tokens, and account takeover. The vulnerability was discovered in the endpoint /_mintlify/static/[subdomain]/[...route], which serves static files without validating the subdomain, allowing cross-tenant asset access and script execution. [1, 4, 5]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including theft of user credentials and session tokens, enabling attackers to perform full account takeovers on affected platforms such as Discord. Attackers can execute arbitrary JavaScript in the context of trusted domains, allowing them to read and write developer applications, modify bots, reset secrets, send messages, make purchases, and abuse APIs as the victim user. It also enables phishing attacks by presenting fake login screens and can lead to widespread compromise of user accounts and sensitive data. The vulnerability affects customers hosting documentation on domains shared with web applications that store authentication tokens in localStorage or use cookies with wildcard domains. [1, 2, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-67842 involves monitoring for unusual access to the Mintlify static asset endpoint, especially requests to URLs matching the pattern /_mintlify/static/[subdomain]/[...route] serving SVG files. Network or web server logs can be inspected for requests to this endpoint with suspicious or unexpected subdomains or SVG files. Additionally, scanning for SVG files containing embedded JavaScript payloads on your hosted documentation sites can help identify malicious assets. Since the vulnerability involves cross-site scripting via SVG files, commands to search for SVG files with script tags or onload attributes in your documentation repositories can be useful. For example, using grep to find suspicious SVG files: 1. Search for SVG files containing script tags: `grep -r --include='*.svg' '<script' /path/to/documentation` 2. Search for SVG files with onload attributes: `grep -r --include='*.svg' 'onload=' /path/to/documentation` 3. Monitor web server logs for requests to the vulnerable endpoint: `grep '/_mintlify/static/' /var/log/nginx/access.log` or equivalent. 4. Use web application firewall (WAF) or intrusion detection system (IDS) rules to alert on requests to the vulnerable endpoint with unusual subdomains or SVG files. These steps can help detect attempts to exploit or presence of malicious SVG files related to this vulnerability. [1, 2, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2025-67842 include: 1. Apply the official patch or update from Mintlify that restricts static asset access to the uploading customer only, preventing cross-tenant asset serving. 2. Ensure that your documentation hosting does not allow serving SVG files with embedded JavaScript from other tenants or subdomains. 3. Audit and remove any suspicious or untrusted SVG files from your documentation repositories. 4. Harden path traversal protections to prevent bypassing asset access restrictions. 5. Rotate any credentials or tokens that might have been exposed due to this vulnerability. 6. Implement strict Content Security Policy (CSP) headers to limit script execution and reduce XSS impact. 7. Monitor and audit logs for suspicious access patterns to the vulnerable endpoints. 8. If possible, avoid hosting documentation on the same domain as sensitive web applications or use separate domains/subdomains with proper cookie scoping. 9. Engage with Mintlify support or security teams to confirm that all related vulnerabilities and patches have been applied. These steps were part of the rapid response by Mintlify and affected customers following disclosure. [2, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-67842 on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability enables cross-site scripting attacks that can lead to credential theft, account takeover, and unauthorized access to sensitive data, it could potentially result in violations of data protection regulations that require safeguarding personal data and ensuring secure authentication mechanisms. The incident led to security improvements and audits, which would be necessary steps to maintain compliance, but no direct statements about regulatory compliance impact are provided. [1, 2, 4, 5]