CVE-2025-23112
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6 allows authenticated users to inject malicious scripts into survey field names. When recipients click on these field names while taking surveys, the malicious scripts execute in their browsers. This affects all REDCap instances running the vulnerable version.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or compromise user accounts through credential theft.
Likely Case
Attackers with authenticated access could deploy phishing attacks, steal survey data, or perform limited account takeover against survey recipients.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal impact, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify surveys; public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9.7 or later
Vendor Advisory: https://community.projectredcap.org/
Restart Required: No
Instructions:
1. Backup your REDCap instance. 2. Download the latest REDCap version from the Vanderbilt REDCap Consortium. 3. Follow the REDCap upgrade instructions for your specific deployment. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize survey field names before storage
Implement input validation in survey creation/modification endpoints to strip or encode HTML/JavaScript tags
Output Encoding
allApply proper output encoding when displaying survey field names to prevent script execution
Use HTML entity encoding (e.g., htmlspecialchars in PHP) when rendering survey field names
🧯 If You Can't Patch
- Restrict survey creation/modification permissions to trusted administrators only
- Implement web application firewall (WAF) rules to detect and block XSS payloads in survey data
🔍 How to Verify
Check if Vulnerable:
Check if your REDCap version is 14.9.6 by navigating to Control Center > REDCap Version InformationCheck Version:
Check the REDCap database table redcap_config where field_name = 'redcap_version' or navigate to Control Center interfaceVerify Fix Applied:
After upgrading, verify the version shows 14.9.7 or later in Control Center > REDCap Version Information📡 Detection & Monitoring
Log Indicators:
- Unusual survey modifications by non-admin users
- Survey field names containing script tags or JavaScript code
Network Indicators:
- HTTP requests with suspicious payloads in survey field parameters
SIEM Query:
source="redcap_logs" AND (message="*survey*modified*" OR message="*<script>*")