CVE-2025-56683
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Logseq v0.10.9 allows attackers to execute arbitrary JavaScript code by injecting malicious scripts into README.md files that are processed by the /app/marketplace.html component. This affects all users running the vulnerable version of Logseq, potentially leading to remote code execution if combined with other vulnerabilities.
💻 Affected Systems
- Logseq
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers achieve remote code execution on user systems, potentially compromising sensitive data, installing malware, or taking full control of affected devices.
Likely Case
Attackers execute arbitrary JavaScript in the context of the Logseq application, enabling session hijacking, credential theft, and unauthorized access to local files.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.
🎯 Exploit Status
Exploitation requires tricking users into opening malicious README.md files, which could be distributed via plugin repositories or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 4cdf49aedd8de073015b6945a529399c3bfa109a
Vendor Advisory: https://github.com/logseq/logseq/commit/4cdf49aedd8de073015b6945a529399c3bfa109a
Restart Required: Yes
Instructions:
1. Update Logseq to the latest version. 2. Restart the application. 3. Verify the fix by checking that the marketplace.html component properly sanitizes README.md content.
🔧 Temporary Workarounds
Disable Marketplace Access
allTemporarily disable access to the marketplace component to prevent exploitation.
# Modify application configuration to disable marketplace features
# Block access to /app/marketplace.html in application settings
Content Security Policy
allImplement strict Content Security Policy headers to restrict script execution.
# Add CSP header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict user permissions to prevent execution of arbitrary scripts
- Implement network segmentation to isolate vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if Logseq version is 0.10.9 and test if README.md files with JavaScript payloads execute in the marketplace component.Check Version:
logseq --version or check application settings for version informationVerify Fix Applied:
Verify that the commit 4cdf49aedd8de073015b6945a529399c3bfa109a is included in your Logseq installation and test that JavaScript in README.md files no longer executes.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in marketplace context
- Suspicious file access patterns from README.md processing
Network Indicators:
- Unexpected outbound connections from Logseq process
- Downloads of suspicious README.md files
SIEM Query:
process_name:"Logseq" AND (event_type:"script_execution" OR file_path:"README.md")🔗 References
- https://github.com/logseq/logseq
- https://github.com/logseq/logseq/commit/4cdf49aedd8de073015b6945a529399c3bfa109a#diff-25789e3ba4c2adf4a68996260eb693a441b4a834c38b76167a120f0b51b969f7R72-R74
- https://github.com/martinkubecka/Attributed-CVEs/blob/main/unresolved-vulnerabilities/logseq_xss_to_rce.md
- https://martinkubecka.sk/security-advisories/cve-2025-56683/
- https://martinkubecka.sk/security-advisories/cve-2025-56683/
