CVE-2025-66459 – Lookyloo versions before 1.35.3 contain a cross... (How to Fix)

Q: What is the severity of CVE-2025-66459?

CVE-2025-66459 has a CVSS score of 6.1 (MEDIUM). Lookyloo versions before 1.35.3 contain a cross-site scripting (XSS) vulnerability where malicious HTML in submitted URLs can execute arbitrary JavaScript in error messages when captures fail. This affects all users of vulnerable Lookyloo instances, particularly those accepting user-submitted URLs.

📋 TL;DR

Lookyloo versions before 1.35.3 contain a cross-site scripting (XSS) vulnerability where malicious HTML in submitted URLs can execute arbitrary JavaScript in error messages when captures fail. This affects all users of vulnerable Lookyloo instances, particularly those accepting user-submitted URLs.

💻 Affected Systems

Products:

Lookyloo

Versions: All versions prior to 1.35.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when users submit URLs containing HTML elements that cause capture failures.

📦 What is this software?

Lookyloo by Lookyloo

View all CVEs affecting Lookyloo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the Lookyloo interface through injected malicious scripts.

🟢

If Mitigated

Limited to UI manipulation within the Lookyloo interface if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to submit malicious URLs, but no authentication is needed to trigger the XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.35.3

Vendor Advisory: https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg

Restart Required: Yes

Instructions:

1. Update Lookyloo to version 1.35.3 or later using pip: 'pip install lookyloo>=1.35.3' 2. Restart the Lookyloo service 3. Verify the update completed successfully

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject URLs containing HTML tags or script elements

Implement regex filter: /[<>]/ in URL validation logic

Output Encoding

all

Apply HTML entity encoding to error messages before displaying to users

Use appropriate HTML encoding functions in your framework

🧯 If You Can't Patch

Disable user-submitted URL functionality or restrict to trusted sources only
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Lookyloo version: 'pip show lookyloo' or examine package metadata. If version < 1.35.3, system is vulnerable.

Check Version:

pip show lookyloo | grep Version

Verify Fix Applied:

After updating, test by submitting a URL with HTML elements that should fail capture. Verify error messages display encoded HTML entities instead of raw HTML.

📡 Detection & Monitoring

Log Indicators:

Unusual error messages containing HTML tags in Lookyloo logs
Multiple failed capture attempts with similar payloads

Network Indicators:

HTTP requests containing HTML/script tags in URL parameters to Lookyloo endpoints

SIEM Query:

source="lookyloo.log" AND ("<script" OR "<img" OR "onerror=" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-66459

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13th percentile)

Published: December 2, 2025

Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66459, you might also want to check these: