CVE-2025-68467
Cross-Origin Style Sheet Exposure in Dark Reader Extension
Publication date: 2026-03-04
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| darkreader | darkreader | to 4.9.117 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Dark Reader, an accessibility browser extension that applies dark mode to web pages, involves how it handled cross-origin CSS style sheets before version 4.9.117. The extension requested these style sheets via a background worker without credentials and assigned the content to an HTML Style Element for parsing, also storing the content in the page's Session Storage for performance. This behavior could allow a website author to request a style sheet from a locally running web server (e.g., http://localhost:8080/style.css) if the full URL was known, potentially exposing local resources.
The issue was fixed in version 4.9.117 by switching to the modern Constructed Style Sheets API and no longer storing cross-origin style sheet contents in Session Storage. Further restrictions were added in version 4.9.118 to limit cross-origin requests to localhost aliases, IP addresses, hosts with ports, and non-HTTPS resources.
How can this vulnerability impact me? :
This vulnerability could potentially allow a malicious website to access CSS style sheets from a locally running web server on the user's machine if the exact URL is known. This might expose local resources or information that should not be accessible to web pages. However, brute forcing the URL is unlikely due to performance impacts causing the browser tab to hang briefly.
As of December 18, 2025, there are no known exploits of this issue, and it has been fixed in recent versions of Dark Reader. Users should ensure they have updated to version 4.9.117 or later to avoid this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you are using Dark Reader version 4.9.117 or later, preferably 4.9.118 or above.
Verify that automatic updates for the Dark Reader extension are not blocked and that the extension is updated to the latest version by checking the browser's extensions page (chrome://extensions or about:addons).
If you use manual builds of Dark Reader, upgrade them to version 4.9.118 or above.
Developers using the darkreader NPM package should ensure that the function passed to setFetchMethod() performs cross-origin requests safely and within the intended scope.
Developers using custom forks of earlier versions should ensure cross-origin requests are performed safely and that responses are not accessible outside the app or extension.