CVE-2025-54806 – GROWI v4.2.7 and earlier contains a stored cros... (How to Fix)

Q: What is the severity of CVE-2025-54806?

CVE-2025-54806 has a CVSS score of 6.1 (MEDIUM). GROWI v4.2.7 and earlier contains a stored cross-site scripting vulnerability in the page alert function. Attackers can craft malicious URLs that execute arbitrary JavaScript in victims' browsers when accessed by authenticated users. This affects all GROWI instances running vulnerable versions.

📋 TL;DR

GROWI v4.2.7 and earlier contains a stored cross-site scripting vulnerability in the page alert function. Attackers can craft malicious URLs that execute arbitrary JavaScript in victims' browsers when accessed by authenticated users. This affects all GROWI instances running vulnerable versions.

💻 Affected Systems

Products:

GROWI

Versions: v4.2.7 and earlier

Operating Systems: All platforms running GROWI

Default Config Vulnerable: ⚠️ Yes

Notes: All GROWI deployments with the vulnerable version are affected regardless of configuration. The vulnerability requires user authentication to exploit.

📦 What is this software?

Growi by Weseek

View all CVEs affecting Growi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or compromise user accounts through social engineering.

🟠

Likely Case

Attackers would typically use this to steal session tokens or credentials, potentially leading to account takeover and unauthorized access to GROWI content.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH - Public GROWI instances are directly accessible to attackers who can craft malicious URLs and trick users into clicking them.

🏢 Internal Only: MEDIUM - Internal instances still face risk from insider threats or compromised internal accounts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to craft a malicious URL and convince an authenticated user to click it. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.2.8 or later

Vendor Advisory: https://growi.co.jp/news/38/

Restart Required: No

Instructions:

1. Update GROWI to version 4.2.8 or later. 2. Follow GROWI's standard update procedures. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable page alert function

all

Temporarily disable the vulnerable page alert feature if immediate patching isn't possible

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-controlled data
Educate users about phishing risks and suspicious URLs

🔍 How to Verify

Check if Vulnerable:

Check GROWI version in admin panel or via API. Versions 4.2.7 and earlier are vulnerable.

Check Version:

Check GROWI admin dashboard or use GROWI API endpoint /_api/v3/version

Verify Fix Applied:

Verify GROWI version is 4.2.8 or later. Test page alert functionality with safe test payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual page alert creations
Suspicious URL parameters in access logs
Multiple failed authentication attempts followed by alert access

Network Indicators:

Requests with suspicious JavaScript in URL parameters
Unusual outbound connections from GROWI users' browsers

SIEM Query:

source="growi_access_logs" AND (uri="*alert*" OR uri="*javascript:*" OR uri="*<script>*")

📊 Metadata

CVE ID: CVE-2025-54806

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: October 23, 2025

Last Updated: November 12, 2025

🔗 References

https://growi.co.jp/news/38/ Vendor Advisory
https://jvn.jp/en/jp/JVN46526244/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54806, you might also want to check these: