CVE-2025-25296
📋 TL;DR
This vulnerability allows attackers to inject malicious HTML/JavaScript through Label Studio's upload-example endpoint, enabling Cross-Site Scripting (XSS) attacks. Anyone using Label Studio versions before 1.16.0 with internet-accessible instances is affected. Attackers can craft malicious URLs that execute scripts in victims' browsers when visited.
💻 Affected Systems
- Label Studio
📦 What is this software?
Label Studio by Humansignal
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, theft of sensitive labeling data, session hijacking, and potential lateral movement within the labeling environment.
Likely Case
Session cookie theft leading to unauthorized access to labeling projects, data exfiltration, and potential manipulation of labeled datasets.
If Mitigated
Limited impact due to CSP restrictions, though report-only mode reduces effectiveness; potential data leakage but limited execution capabilities.
🎯 Exploit Status
Exploit requires crafting a malicious URL with specific XML/HTML payload; trivial for attackers with basic web security knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.0
Vendor Advisory: https://github.com/HumanSignal/label-studio/security/advisories/GHSA-wpq5-3366-mqw4
Restart Required: Yes
Instructions:
1. Backup your Label Studio data and configuration. 2. Update Label Studio to version 1.16.0 or later using pip: 'pip install label-studio>=1.16.0'. 3. Restart the Label Studio service. 4. Verify the update with 'label-studio --version'.
🔧 Temporary Workarounds
Disable upload-example endpoint
allBlock access to the vulnerable endpoint via web server configuration or application firewall
# For nginx: location /projects/upload-example { deny all; }
# For Apache: <Location /projects/upload-example> Require all denied </Location>
Enable strict CSP
allImplement a restrictive Content Security Policy in enforcement mode (not report-only)
# Add to web server config: add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing malicious HTML/JavaScript patterns in query parameters
- Restrict network access to Label Studio instances to trusted IP ranges only
🔍 How to Verify
Check if Vulnerable:
Check if accessing /projects/upload-example?label_config=<test> returns HTML content without sanitization; test with simple payload like '<script>alert(1)</script>'Check Version:
label-studio --versionVerify Fix Applied:
After patching, test the same endpoint with malicious payloads; should return sanitized output or error📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /projects/upload-example with long or encoded query parameters
- Unusual patterns in label_config parameter values containing script tags or JavaScript
Network Indicators:
- Unusual spikes in requests to the upload-example endpoint
- Requests containing XML/HTML payloads in query strings
SIEM Query:
source="web_logs" AND uri_path="/projects/upload-example" AND (query_string CONTAINS "script" OR query_string CONTAINS "javascript" OR query_string CONTAINS "onload=" OR query_string CONTAINS "onerror=")