CVE-2025-65368
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codewithcj | sparkyfitness | to 0.15.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65368 is a stored Cross-Site Scripting (XSS) vulnerability in SparkyFitness up to version 0.15.8.2. It occurs because user input and large language model (LLM) output are rendered directly into the web page's DOM using React's dangerouslySetInnerHTML without proper sanitization. This allows attackers to inject malicious JavaScript code into chat messages, which is then executed in the browsers of authenticated users viewing those messages. The attack can lead to session hijacking, forged chatbot messages, and unauthorized actions performed on behalf of the victim. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute arbitrary JavaScript in your browser when you view infected chat messages. This can result in session hijacking, theft of authentication tokens, forging of AI chatbot messages, and unauthorized API calls performed using your credentials. Essentially, attackers can impersonate you and perform actions without your consent, compromising your account and data security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this stored XSS vulnerability involves inspecting chat messages for malicious payloads, especially those containing HTML tags with event handlers like <img onerror=>. You can search the chat history database or logs for suspicious patterns such as <img onerror= or other script injection attempts. Additionally, monitoring HTTP requests for unusual fetch calls that exfiltrate tokens may help. Since the vulnerability involves React dangerouslySetInnerHTML rendering unsanitized input, reviewing frontend code or testing with payloads in a controlled environment can confirm the issue. Specific commands depend on your environment, but for example, using grep to find suspicious payloads in logs or database dumps: grep -i -E '<img onerror=|<script' chat_history.log [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading SparkyFitness to version v0.16.3 or later, where the vulnerability is fixed by sanitizing content with DOMPurify before rendering. If upgrading is not immediately possible, implement input sanitization on user inputs and LLM outputs to prevent script injection. Avoid using React's dangerouslySetInnerHTML with unsanitized content. Additionally, restrict user permissions to limit exposure, monitor chat messages for suspicious content, and educate users about the risk of interacting with untrusted messages. [1]