CVE-2025-15454
Remote XSS in Zhanglun Lettura RSS Handler Component
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhanglun | lettura | to 0.1.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15454 is a cross-site scripting (XSS) vulnerability in the open-source software 'lettura' by zhanglun, affecting versions up to 0.1.22. It occurs in the RSS Handler component within the file src/components/ArticleView/ContentRender.tsx, where attacker-controlled RSS feed content is improperly sanitized before being rendered as HTML. This allows remote attackers to inject and execute arbitrary JavaScript code in the application's WebView context. The vulnerability is exacerbated by disabled Content Security Policy (CSP) and enabled Tauri filesystem access, enabling attackers to perform actions such as Server-Side Request Forgery (SSRF) and unauthorized file read/write operations in the user's Download folder. Exploitation requires some user interaction but no authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to several severe impacts: attackers can execute arbitrary JavaScript code remotely within the application, potentially performing SSRF attacks to access internal network resources. They can also read from and write to the user's Download folder due to Tauri's filesystem permissions being enabled. This can result in unauthorized data manipulation, exposure of sensitive information, and compromise of system integrity. The attack requires user interaction but no authentication, making it a significant security risk. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious JavaScript execution or unusual network requests originating from the affected application, especially those related to RSS feed content rendering. A proof-of-concept exploit scans local ports 1100-1200 on 127.0.0.1 by sending fetch requests to /api/user-config endpoints without CORS restrictions. To detect exploitation attempts, you can monitor network traffic for such requests or scan logs for unexpected fetch calls to these endpoints. Additionally, inspecting the application's webview or logs for injected scripts or unexpected file read/write operations in the Download folder can help identify exploitation. Specific commands to detect open ports or suspicious activity include using network monitoring tools like tcpdump or Wireshark to capture traffic on localhost ports 1100-1200, or using curl/wget to test access to /api/user-config endpoints. For example, running a local port scan with nmap: `nmap -p 1100-1200 127.0.0.1` or monitoring HTTP requests with `tcpdump -i lo port 1100-1200` may help detect malicious activity. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch identified by commit hash 67213093db9923e828a6e3fd8696a998c85da2d4, which sanitizes HTML content using DOMPurify before rendering, preventing malicious script injection. Additionally, enabling Content Security Policy (CSP) and reviewing Tauri allowlist permissions to restrict filesystem access can reduce the impact of potential exploitation. If patching is not immediately possible, consider disabling or restricting RSS feed processing or limiting user interaction with untrusted content to reduce risk. [1, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows remote attackers to execute arbitrary scripts, perform SSRF, and read/write local files, it could potentially lead to unauthorized access or manipulation of sensitive data, which may affect compliance with data protection regulations. No direct statements about compliance impact are given. [1, 2, 3]