CVE-2025-66458
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Lookyloo allows attackers to inject malicious JavaScript code that executes in users' browsers when they view captured website data. The vulnerability affects all Lookyloo users who process website captures from untrusted sources. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
💻 Affected Systems
- Lookyloo
📦 What is this software?
Lookyloo by Lookyloo
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the Lookyloo instance, and potentially pivot to internal systems if the Lookyloo server has network access to other resources.
Likely Case
Attackers steal user session cookies, hijack user accounts, and perform unauthorized actions within the Lookyloo application.
If Mitigated
With proper input validation and output encoding, malicious scripts are rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires the attacker to control a server that Lookyloo processes, but no authentication is needed for the XSS payload to execute in users' browsers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.35.3
Vendor Advisory: https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87
Restart Required: Yes
Instructions:
1. Backup your current Lookyloo installation and data. 2. Update Lookyloo to version 1.35.3 or later using: git pull origin main && pip install -r requirements.txt. 3. Restart the Lookyloo service: sudo systemctl restart lookyloo (or equivalent). 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side filtering to reject JSON responses containing script tags or JavaScript code in specific fields
# Customize Lookyloo's capture processing to sanitize JSON inputs
# Add validation in the appropriate capture processing modules
Content Security Policy
allImplement strict Content Security Policy headers to prevent execution of inline scripts
# Add to web server configuration or application headers:
Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict Lookyloo to only process captures from trusted, whitelisted domains
- Isolate Lookyloo instance in a network segment with no access to sensitive internal systems
🔍 How to Verify
Check if Vulnerable:
Check if Lookyloo version is below 1.35.3 by examining the version file or running the application and checking the web interface footerCheck Version:
grep __version__ lookyloo/__init__.py or check web interface footerVerify Fix Applied:
Confirm version is 1.35.3 or higher and test with a controlled payload containing script tags in JSON responses📡 Detection & Monitoring
Log Indicators:
- Unusual increase in capture requests from single IPs
- Log entries showing processing of JSON with script tags
Network Indicators:
- Outbound connections from Lookyloo server to unexpected domains after processing captures
SIEM Query:
source="lookyloo.log" AND ("script" OR "javascript" OR "<script") AND "JSON"