Login Sign Up

CVE-2025-63708

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in SourceCodester AI Font Matcher allows attackers to inject malicious JavaScript through font family names in webfonts API requests. This enables session cookie theft, account hijacking, and unauthorized actions on behalf of authenticated users. Anyone using the vulnerable AI Font Matcher software is affected.

💻 Affected Systems

Products:
  • SourceCodester AI Font Matcher
Versions: All versions prior to patch (specific version unknown)
Operating Systems: All platforms running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the webfonts API handling mechanism where font family names are not properly sanitized.

📦 What is this software?

Ai Font Matcher by Remyandrade

View all CVEs affecting Ai Font Matcher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, data theft, and unauthorized administrative actions performed on behalf of authenticated users.

🟠

Likely Case

Session cookie theft leading to account compromise and unauthorized access to user data.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation involves intercepting fetch requests to webfonts endpoint and injecting malicious JavaScript payloads through font family names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/javascript/18425/ai-font-matcher-using-html-css-and-javascript-source-code.html

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding for font family names in webfonts API.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize font family names before processing.

// JavaScript example: const sanitizedFontName = fontName.replace(/[<>"']/g, '')

Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Disable or restrict access to the webfonts API endpoint
  • Implement WAF rules to block suspicious font family name patterns

🔍 How to Verify

Check if Vulnerable:

Test by injecting script payloads into font family name parameters in webfonts API requests and checking if they execute.

Check Version:

Check software version in application interface or configuration files.

Verify Fix Applied:

Verify that script payloads in font family names are properly sanitized and do not execute in browser.

📡 Detection & Monitoring

Log Indicators:

  • Unusual font family names containing script tags or JavaScript code in webfonts API logs

Network Indicators:

  • HTTP requests to webfonts endpoint with suspicious parameters containing script payloads

SIEM Query:

source="webfonts_api" AND (param="font_family" AND value CONTAINS "<script>" OR value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-63708
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.07% exploit probability (20.4th percentile)
Published: November 17, 2025
Last Updated: November 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63708, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)