CVE-2025-69993
Cross-Site Scripting in Leaflet bindPopup() Allows Code Injection
Publication date: 2026-04-14
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leafletjs | leaflet | to 1.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69993 is a Cross-Site Scripting (XSS) vulnerability in Leaflet versions up to and including 1.9.4. It occurs because the bindPopup() method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code.
This vulnerability can be exploited when applications pass user-controlled data to bindPopup(), which is common in web mapping apps that let users create or annotate map markers.
Injected scripts execute in the victim's browser when they view the affected map popup, potentially leading to malicious actions.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to several security risks including:
- Theft of session cookies, allowing attackers to hijack user sessions.
- Unauthorized actions performed on behalf of users.
- Redirection of users to malicious websites.
- Injection of phishing content to deceive users.
- Capture of keystrokes and other sensitive user inputs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the usage of the bindPopup() method in Leaflet-based web applications to see if user-supplied input is passed without sanitization.
Specifically, look for code patterns where bindPopup() is called with user-controlled content, such as:
- L.marker([lat, lng]).addTo(map).bindPopup(userControlledContent).openPopup();
To detect exploitation attempts on your system or network, monitor for suspicious payloads containing HTML event handlers like <img src=x onerror="alert('XSS')"> in map popups.
While no specific commands are provided, developers can test the vulnerability by injecting typical XSS payloads into marker descriptions or URL parameters that populate bindPopup() content and observing if the scripts execute.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing all user input before passing it to the bindPopup() method to prevent execution of malicious scripts.
- Use a sanitization library such as DOMPurify to clean user input, for example: marker.bindPopup(DOMPurify.sanitize(userInput));
- Alternatively, escape HTML entities in user input before passing it to bindPopup(), for example by using a function that converts text to safe HTML.
For maintainers of Leaflet, the recommended fix is to change bindPopup() to render content as plain text by default and require explicit opt-in for HTML rendering with built-in sanitization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in users' browsers via Cross-Site Scripting (XSS), which can lead to session cookie theft, unauthorized actions, phishing, and keystroke capture.
Such security issues can impact compliance with standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to personal data, data breaches, and compromise of user privacy and security.
Organizations using affected Leaflet versions without proper mitigation may fail to adequately protect user data, potentially violating data protection requirements under these regulations.