CVE-2025-66519 – A stored XSS vulnerability in Foxit PDF Online'... (How to Fix)

Q: What is the severity of CVE-2025-66519?

CVE-2025-66519 has a CVSS score of 6.3 (MEDIUM). A stored XSS vulnerability in Foxit PDF Online's Layer Import functionality allows attackers to inject malicious scripts into the 'Create new Layer' field. When users access the Layers panel, the script executes in their browser context. This affects all users of pdfonline.foxit.com who import layers.

📋 TL;DR

A stored XSS vulnerability in Foxit PDF Online's Layer Import functionality allows attackers to inject malicious scripts into the 'Create new Layer' field. When users access the Layers panel, the script executes in their browser context. This affects all users of pdfonline.foxit.com who import layers.

💻 Affected Systems

Products:

Foxit PDF Online

Versions: All versions prior to patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web interface at pdfonline.foxit.com; desktop applications are not impacted.

📦 What is this software?

Pdf Editor Cloud by Foxit

View all CVEs affecting Pdf Editor Cloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the PDF interface through injected content.

🟢

If Mitigated

Limited to UI manipulation within the PDF editor interface without access to server-side systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires user interaction (accessing Layers panel) but payload injection is straightforward through layer import.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Foxit security bulletins for specific version

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Visit Foxit security bulletins page. 2. Identify patch for CVE-2025-66519. 3. Apply server-side update to pdfonline.foxit.com. 4. No client-side action required.

🔧 Temporary Workarounds

Disable Layer Import

all

Temporarily disable the Layer Import functionality in Foxit PDF Online

Content Security Policy

all

Implement strict CSP headers to block inline script execution

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Implement WAF rules to detect and block XSS payloads in layer import requests
Educate users to avoid accessing Layers panel with untrusted PDFs

🔍 How to Verify

Check if Vulnerable:

Test by importing a layer with payload: <script>alert('XSS')</script> in layer name field and check if alert triggers when accessing Layers panel

Check Version:

Check Foxit security bulletins for patched version information

Verify Fix Applied:

Repeat vulnerability test; successful fix should sanitize input and prevent script execution

📡 Detection & Monitoring

Log Indicators:

Unusual layer names containing script tags or JavaScript patterns
Multiple failed layer import attempts with special characters

Network Indicators:

HTTP requests with script tags in POST data to layer import endpoints

SIEM Query:

source="web_logs" AND (uri_path="/layer/import" OR uri_path="/api/layer") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-66519

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: December 19, 2025

Last Updated: December 23, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66519, you might also want to check these: