CVE-2025-66563
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Monkeytype typing test software versions 25.49.0 and earlier. Attackers can inject malicious JavaScript through quote submissions, which executes when other users view those quotes. All users of affected versions who view malicious quote submissions are vulnerable.
💻 Affected Systems
- Monkeytype
📦 What is this software?
Monkeytype by Monkeytype
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or install malware through drive-by downloads.
Likely Case
Attackers would most likely steal session cookies to hijack user accounts or redirect users to phishing sites.
If Mitigated
With proper input sanitization and output encoding, user input would be treated as plain text rather than executable code.
🎯 Exploit Status
The advisory includes proof-of-concept examples showing how to inject malicious JavaScript through quote submissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.50.0 and later
Vendor Advisory: https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27
Restart Required: Yes
Instructions:
1. Update Monkeytype to version 25.50.0 or later. 2. Restart the application/service. 3. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable quote submissions
allTemporarily disable user quote submission functionality to prevent exploitation.
Modify application configuration to disable quote submission feature
Implement Content Security Policy
allAdd strict Content Security Policy headers to limit script execution.
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement WAF rules to block HTML/JavaScript in quote submissions
- Manually sanitize all user input before display using proper escaping functions
🔍 How to Verify
Check if Vulnerable:
Check if Monkeytype version is 25.49.0 or earlier. Test by submitting a quote with <script>alert('XSS')</script> and viewing it.Check Version:
Check package.json or application settings for version numberVerify Fix Applied:
After updating to 25.50.0+, test that HTML/JavaScript in quotes displays as plain text rather than executing.📡 Detection & Monitoring
Log Indicators:
- Unusual quote submissions containing script tags or JavaScript code
- Multiple quote submissions from single IP
Network Indicators:
- HTTP requests with quote parameters containing script tags
- Outbound connections to suspicious domains after viewing quotes
SIEM Query:
source="monkeytype" AND (quote.text CONTAINS "<script>" OR quote.source CONTAINS "javascript:")