CVE-2025-57731 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-57731?

CVE-2025-57731 has a CVSS score of 8.7 (HIGH). This stored cross-site scripting (XSS) vulnerability in JetBrains YouTrack allows attackers to inject malicious scripts into Mermaid diagram content that persists in the system and executes when viewed by other users. All YouTrack instances running vulnerable versions are affected, potentially compromising user sessions and data.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in JetBrains YouTrack allows attackers to inject malicious scripts into Mermaid diagram content that persists in the system and executes when viewed by other users. All YouTrack instances running vulnerable versions are affected, potentially compromising user sessions and data.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2025.2.92387

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all YouTrack deployments regardless of configuration when using Mermaid diagram functionality.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over YouTrack instances, access sensitive project data, and pivot to internal networks.

🟠

Likely Case

Session hijacking, data theft from user browsers, defacement of YouTrack content, and limited privilege escalation.

🟢

If Mitigated

Limited to content manipulation within YouTrack with proper input validation and output encoding bypassed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to create or modify content containing Mermaid diagrams. Exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2.92387

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup your YouTrack instance. 2. Download YouTrack version 2025.2.92387 or later from JetBrains. 3. Stop the YouTrack service. 4. Install the updated version. 5. Restart the YouTrack service. 6. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Mermaid Diagram Feature

all

Temporarily disable Mermaid diagram functionality to prevent exploitation

Modify YouTrack configuration to disable Mermaid diagram support (specific configuration depends on deployment method)

Implement Content Security Policy

all

Add strict CSP headers to limit script execution

Add 'Content-Security-Policy' header with script-src directives restricting inline scripts

🧯 If You Can't Patch

Restrict user permissions to limit who can create/edit content with Mermaid diagrams
Implement web application firewall rules to detect and block XSS payloads in Mermaid content

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in administration panel or via API. If version is earlier than 2025.2.92387, system is vulnerable.

Check Version:

Check YouTrack web interface Administration → System → About, or use API endpoint /api/admin/version

Verify Fix Applied:

After updating, verify version is 2025.2.92387 or later and test Mermaid diagram functionality for proper sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual Mermaid diagram creation/modification patterns
JavaScript execution errors in user logs
Suspicious content containing script tags in diagram data

Network Indicators:

Unexpected outbound connections from YouTrack to external domains
Data exfiltration patterns from YouTrack sessions

SIEM Query:

source="youtrack" AND (mermaid OR diagram) AND (script OR javascript OR alert OR onerror)

📊 Metadata

CVE ID: CVE-2025-57731

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: August 20, 2025

Last Updated: August 21, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57731, you might also want to check these: