CVE-2025-53838 – LinkAce versions before 2.1.9 contain a stored ... (How to Fix)

Q: What is the severity of CVE-2025-53838?

CVE-2025-53838 has a CVSS score of 5.4 (MEDIUM). LinkAce versions before 2.1.9 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious JavaScript into link attributes. When users click on crafted links, the JavaScript executes in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects all LinkAce instances running vulnerable versions.

📋 TL;DR

LinkAce versions before 2.1.9 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious JavaScript into link attributes. When users click on crafted links, the JavaScript executes in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects all LinkAce instances running vulnerable versions.

💻 Affected Systems

Products:

LinkAce

Versions: All versions prior to 2.1.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All LinkAce installations with default configurations are vulnerable if running affected versions.

📦 What is this software?

Linkace by Linkace

View all CVEs affecting Linkace →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over accounts, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires creating malicious links that users must click, but no authentication is needed to create links in most configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.9

Vendor Advisory: https://github.com/Kovah/LinkAce/security/advisories/GHSA-vwmx-v9qf-q656

Restart Required: No

Instructions:

1. Backup your LinkAce database and files. 2. Update LinkAce to version 2.1.9 or later via git pull or package update. 3. Run database migrations if required. 4. Clear application cache.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize link attributes before storage.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Disable user link creation functionality or restrict to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check LinkAce version in admin panel or via 'php artisan --version' command. If version is below 2.1.9, system is vulnerable.

Check Version:

php artisan --version

Verify Fix Applied:

Confirm version is 2.1.9 or higher and test by attempting to inject JavaScript into link attributes - it should be properly escaped.

📡 Detection & Monitoring

Log Indicators:

Unusual link creation patterns
JavaScript code in link attributes in database logs

Network Indicators:

Unexpected outbound connections from user browsers after clicking links

SIEM Query:

search 'LinkAce' AND ('link created' OR 'link updated') AND contains('javascript:' OR '<script>')

📊 Metadata

CVE ID: CVE-2025-53838

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: September 8, 2025

Last Updated: October 6, 2025

🔗 References

https://github.com/Kovah/LinkAce/commit/4da467a4b0fbb1650670e603f4449b8a47695631 Patch
https://github.com/Kovah/LinkAce/security/advisories/GHSA-vwmx-v9qf-q656 Exploit,Vendor Advisory
https://github.com/Kovah/LinkAce/security/advisories/GHSA-vwmx-v9qf-q656 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53838, you might also want to check these: