CVE-2025-53528
📋 TL;DR
CVE-2025-53528 is a reflected cross-site scripting (XSS) vulnerability in Cadwyn's API documentation endpoint. An attacker can craft a malicious URL containing JavaScript payloads that execute in victims' browsers when they visit the '/docs' page. This affects all applications using vulnerable versions of Cadwyn for FastAPI API versioning.
💻 Affected Systems
- Cadwyn
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or unauthorized API calls using stolen authentication tokens.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and sessions have short timeouts.
🎯 Exploit Status
One-click attack via crafted URLs; exploitation requires user interaction to visit malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.3
Vendor Advisory: https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r
Restart Required: Yes
Instructions:
1. Update Cadwyn dependency to version 5.4.3 or later. 2. Run: pip install --upgrade cadwyn>=5.4.3. 3. Restart your FastAPI application.
🔧 Temporary Workarounds
Disable /docs endpoint
allRemove or disable the vulnerable documentation endpoint in production environments.
Configure FastAPI with docs_url=None or redoc_url=None in your application initialization
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources.
Add headers: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement strict input validation and output encoding for the version parameter
- Deploy a WAF (Web Application Firewall) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your application uses Cadwyn <5.4.3 and has the /docs endpoint accessible.Check Version:
pip show cadwyn | grep VersionVerify Fix Applied:
Confirm Cadwyn version is 5.4.3 or higher and test the /docs endpoint with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual length or special characters in version parameter of /docs requests
- Multiple failed requests to /docs with encoded payloads
Network Indicators:
- HTTP requests to /docs with script tags or JavaScript in query parameters
SIEM Query:
source="web_logs" AND uri_path="/docs" AND (query_string="*<script>*" OR query_string="*javascript:*")