CVE-2025-46654 – CVE-2025-46654 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2025-46654?

CVE-2025-46654 has a CVSS score of 4.9 (MEDIUM). CVE-2025-46654 is a cross-site scripting (XSS) vulnerability in CodiMD that allows attackers to bypass Content Security Policy (CSP) protections by uploading HTML files that reference uploaded JavaScript files. This affects all CodiMD users running versions up to 2.2.0 who allow file uploads, potentially enabling client-side attacks against other users.

📋 TL;DR

CVE-2025-46654 is a cross-site scripting (XSS) vulnerability in CodiMD that allows attackers to bypass Content Security Policy (CSP) protections by uploading HTML files that reference uploaded JavaScript files. This affects all CodiMD users running versions up to 2.2.0 who allow file uploads, potentially enabling client-side attacks against other users.

💻 Affected Systems

Products:

CodiMD

Versions: through 2.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires file upload functionality to be enabled and accessible to attackers.

📦 What is this software?

Codimd by Hackmd

View all CVEs affecting Codimd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or delivering malware.

🟠

Likely Case

Attackers with upload privileges could embed malicious scripts that execute when other users view or interact with uploaded content, leading to session hijacking or data theft.

🟢

If Mitigated

With proper CSP configurations and file upload restrictions, impact is limited to users who intentionally download and open malicious files locally.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires upload privileges; detailed proof-of-concept is available in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1 or later

Vendor Advisory: https://github.com/hackmdio/codimd/issues/1910

Restart Required: Yes

Instructions:

1. Backup your CodiMD instance and database
2. Update to CodiMD version 2.2.1 or later
3. Restart the CodiMD service
4. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable file upload functionality in CodiMD configuration

Set 'allowFileUpload' to false in config.json or environment variables

Restrict upload extensions

all

Configure CodiMD to block HTML and JavaScript file uploads

Modify 'allowedUploadMimeTypes' in config to exclude text/html and application/javascript

🧯 If You Can't Patch

Implement strict Content Security Policy headers that block inline scripts and restrict script sources
Monitor file upload logs for HTML and JavaScript file uploads and investigate suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if running CodiMD version 2.2.0 or earlier with file uploads enabled

Check Version:

Check CodiMD web interface footer or run 'npm list codimd' in installation directory

Verify Fix Applied:

Verify installation of CodiMD version 2.2.1 or later and test that HTML files referencing uploaded JS files no longer execute scripts

📡 Detection & Monitoring

Log Indicators:

Multiple HTML file uploads from single user
HTML files referencing uploaded JavaScript files
Unusual file upload patterns

Network Indicators:

HTTP requests for uploaded .js files from HTML pages
Suspicious Content-Type headers in upload requests

SIEM Query:

source="codimd" AND (event="file_upload" AND (file_extension="html" OR file_extension="js"))

📊 Metadata

CVE ID: CVE-2025-46654

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-424

EPSS Score: 0.06% exploit probability (17.9th percentile)

Published: April 26, 2025

Last Updated: August 5, 2025

🔗 References

https://github.com/hackmdio/codimd/issues/1910 Exploit,Issue Tracking
https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md Exploit,Third Party Advisory
https://github.com/hackmdio/codimd/issues/1910 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46654, you might also want to check these: