QwikSec

Security Database

CVE

CWE

Training

CVE-2025-49590

Published: Jun 18, 2025

Modified: Jun 23, 2025

PUBLISHED

Description

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Vendor	Product	Versions
cryptpad	cryptpad	affected `< 2025.3.0`

Weaknesses (CWE)

References

https://github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rj

x_refsource_CONFIRM

https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607

x_refsource_MISC

https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.