CVE-2025-64442 – HumHub versions below 1.17.4 contain a cross-si... (How to Fix)

Q: What is the severity of CVE-2025-64442?

CVE-2025-64442 has a CVSS score of 6.1 (MEDIUM). HumHub versions below 1.17.4 contain a cross-site scripting (XSS) vulnerability in the Meta-Search feature that allows attackers to inject malicious scripts into search previews. When exploited, this can lead to session hijacking, credential theft, or redirection to malicious sites. All HumHub instances running vulnerable versions with the Meta-Search feature enabled are affected.

📋 TL;DR

HumHub versions below 1.17.4 contain a cross-site scripting (XSS) vulnerability in the Meta-Search feature that allows attackers to inject malicious scripts into search previews. When exploited, this can lead to session hijacking, credential theft, or redirection to malicious sites. All HumHub instances running vulnerable versions with the Meta-Search feature enabled are affected.

💻 Affected Systems

Products:

HumHub

Versions: All versions below 1.17.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The Meta-Search feature must be enabled, but this is typically active by default in HumHub installations.

📦 What is this software?

Humhub by Humhub

View all CVEs affecting Humhub →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over user accounts, redirect users to phishing sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session cookies or credentials from users viewing search results, potentially compromising individual accounts.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, requiring only crafted input to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.17.4

Vendor Advisory: https://github.com/humhub/humhub/security/advisories/GHSA-2hgp-33j2-93cc

Restart Required: No

Instructions:

1. Backup your HumHub installation and database. 2. Download version 1.17.4 from the official repository. 3. Replace the existing installation files with the patched version. 4. Clear any caches if applicable.

🔧 Temporary Workarounds

Disable Meta-Search Feature

all

Temporarily disable the vulnerable Meta-Search feature to prevent exploitation.

Navigate to Administration > Modules > Search, and disable Meta-Search if available

Implement WAF Rules

all

Configure web application firewall to block XSS patterns in search parameters.

Add WAF rule: Detect and block script tags and JavaScript events in search query parameters

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Enable input validation and output encoding at the application layer

🔍 How to Verify

Check if Vulnerable:

Check HumHub version in Administration > Information or via command: grep -r 'version' protected/config/common.php

Check Version:

php protected/yii version

Verify Fix Applied:

Verify version is 1.17.4 or higher and test search functionality with XSS payloads like <script>alert('test')</script>

📡 Detection & Monitoring

Log Indicators:

Unusual search queries containing script tags or JavaScript code
Multiple failed search attempts with malicious patterns

Network Indicators:

HTTP requests with script tags in search parameters
Unusual outbound connections following search activities

SIEM Query:

source="humhub_logs" AND (search_query CONTAINS "<script>" OR search_query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-64442

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: November 7, 2025

Last Updated: November 26, 2025

🔗 References

https://github.com/humhub/humhub/pull/7814 Patch
https://github.com/humhub/humhub/releases/tag/v1.17.4 Release Notes
https://github.com/humhub/humhub/security/advisories/GHSA-2hgp-33j2-93cc Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64442, you might also want to check these: