CVE-2025-22142 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2025-22142?

CVE-2025-22142 has a CVSS score of 5.4 (MEDIUM). This is a stored cross-site scripting (XSS) vulnerability in NamelessMC where administrators can add custom user profile fields that accept JavaScript input. When staff members view affected user profiles in the admin panel, malicious JavaScript executes in their browsers. This affects all NamelessMC installations running versions before 2.1.3.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in NamelessMC where administrators can add custom user profile fields that accept JavaScript input. When staff members view affected user profiles in the admin panel, malicious JavaScript executes in their browsers. This affects all NamelessMC installations running versions before 2.1.3.

💻 Affected Systems

Products:

NamelessMC

Versions: All versions before 2.1.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin privileges to create the vulnerable custom field, but any user can then exploit it against staff members.

📦 What is this software?

Nameless by Namelessmc

View all CVEs affecting Nameless →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal staff session cookies, perform actions as staff members, redirect to malicious sites, or install malware on staff computers.

🟠

Likely Case

Attackers steal staff session tokens to gain administrative access, modify site settings, or access sensitive user data.

🟢

If Mitigated

With proper input validation and output encoding, the JavaScript would be rendered harmless as text rather than executed code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an admin to first create a vulnerable custom field, then any user can inject JavaScript into that field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.3

Vendor Advisory: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm

Restart Required: No

Instructions:

1. Backup your NamelessMC installation and database. 2. Download version 2.1.3 from the official GitHub releases. 3. Replace all files with the new version. 4. Clear any caching mechanisms. 5. Verify the update completed successfully.

🧯 If You Can't Patch

Disable all custom user profile fields in the admin panel.
Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution.

🔍 How to Verify

Check if Vulnerable:

Check if your NamelessMC version is below 2.1.3 in the admin panel or by examining the core/version.php file.

Check Version:

grep -i 'version' core/version.php

Verify Fix Applied:

After updating, verify the version shows 2.1.3 or higher in the admin panel or core/version.php file.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript content in user profile fields
Multiple staff accounts accessing the same user profile in quick succession

Network Indicators:

Outbound connections to suspicious domains from staff IPs after viewing user profiles

SIEM Query:

source="namelessmc_logs" AND (message="*javascript:*" OR message="*<script>*")

📊 Metadata

CVE ID: CVE-2025-22142

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.22% exploit probability (43.8th percentile)

Published: January 13, 2025

Last Updated: May 13, 2025

🔗 References

https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3 Release Notes
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm Exploit,Vendor Advisory
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22142, you might also want to check these: