CVE-2025-62780 – This stored XSS vulnerability in changedetectio... (How to Fix)

Q: What is the severity of CVE-2025-62780?

CVE-2025-62780 has a CVSS score of 3.5 (LOW). This stored XSS vulnerability in changedetection.io allows attackers to inject malicious JavaScript into watch URLs. When users click Preview on these malicious links, the script executes in their browser context. All users running versions prior to 0.50.34 are affected.

📋 TL;DR

This stored XSS vulnerability in changedetection.io allows attackers to inject malicious JavaScript into watch URLs. When users click Preview on these malicious links, the script executes in their browser context. All users running versions prior to 0.50.34 are affected.

💻 Affected Systems

Products:

changedetection.io

Versions: All versions prior to 0.50.34

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both new watch creation and existing watch modification scenarios.

📦 What is this software?

Changedetection by Changedetection

View all CVEs affecting Changedetection →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals session cookies, performs actions as the victim, or redirects to phishing sites leading to account compromise.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions within the changedetection.io interface.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to create or modify watches. Exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.50.34

Vendor Advisory: https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Update changedetection.io to version 0.50.34 or later. 3. Restart the changedetection.io service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict URL validation to reject JavaScript URLs and suspicious schemes

Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources

🧯 If You Can't Patch

Restrict user permissions to prevent unauthorized watch creation/modification
Implement network segmentation to isolate changedetection.io instances

🔍 How to Verify

Check if Vulnerable:

Check if changedetection.io version is below 0.50.34 in the web interface or configuration

Check Version:

Check web interface settings or docker inspect for version information

Verify Fix Applied:

Confirm version is 0.50.34 or higher and test that JavaScript URLs are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual watch creation/modification patterns
JavaScript URLs in watch configurations

Network Indicators:

Unexpected outbound connections from changedetection.io to attacker-controlled domains

SIEM Query:

source="changedetection.io" AND (url="javascript:*" OR url="data:*")

📊 Metadata

CVE ID: CVE-2025-62780

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: November 10, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9 Exploit,Vendor Advisory
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62780, you might also want to check these: