CVE-2025-66629 – HedgeDoc versions before 1.10.4 have CSRF vulne... (How to Fix)

Q: What is the severity of CVE-2025-66629?

CVE-2025-66629 has a CVSS score of 3.7 (LOW). HedgeDoc versions before 1.10.4 have CSRF vulnerabilities in OAuth2 endpoints for social login providers like Google, GitHub, GitLab, Facebook, and Dropbox. Attackers can trick authenticated users into performing unintended OAuth2 authorization actions. All HedgeDoc instances using social login with affected versions are vulnerable.

📋 TL;DR

HedgeDoc versions before 1.10.4 have CSRF vulnerabilities in OAuth2 endpoints for social login providers like Google, GitHub, GitLab, Facebook, and Dropbox. Attackers can trick authenticated users into performing unintended OAuth2 authorization actions. All HedgeDoc instances using social login with affected versions are vulnerable.

💻 Affected Systems

Products:

HedgeDoc

Versions: All versions prior to 1.10.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances using OAuth2 social login providers (Google, GitHub, GitLab, Facebook, Dropbox).

📦 What is this software?

Hedgedoc by Hedgedoc

View all CVEs affecting Hedgedoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could link their own social accounts to victim accounts, potentially gaining unauthorized access or performing account takeover through social login.

🟠

Likely Case

Attackers could associate their social accounts with victim accounts, causing confusion and potential unauthorized access.

🟢

If Mitigated

With proper CSRF protection, OAuth2 flows would be secure and only intentional authorizations would succeed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages while logged into HedgeDoc.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.4

Vendor Advisory: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv

Restart Required: Yes

Instructions:

1. Backup your HedgeDoc instance. 2. Update to version 1.10.4 or later using your package manager or deployment method. 3. Restart the HedgeDoc service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Social Login

all

Temporarily disable OAuth2 social login providers until patching is complete.

Edit HedgeDoc configuration to remove or comment out OAuth2 provider settings

🧯 If You Can't Patch

Implement web application firewall rules to detect and block CSRF attempts
Use browser security extensions that provide CSRF protection

🔍 How to Verify

Check if Vulnerable:

Check HedgeDoc version: if version is less than 1.10.4 and social login is enabled, the system is vulnerable.

Check Version:

Check HedgeDoc web interface or run appropriate command for your deployment method

Verify Fix Applied:

Verify HedgeDoc version is 1.10.4 or higher and test OAuth2 login flows work correctly.

📡 Detection & Monitoring

Log Indicators:

Multiple OAuth2 authorization requests from same user in short time
OAuth2 authorization requests without proper referrer headers

Network Indicators:

HTTP POST requests to OAuth2 endpoints without CSRF tokens
Cross-origin requests to HedgeDoc OAuth2 endpoints

SIEM Query:

source="hedgedoc" AND (uri_path="/auth/*" OR uri_path="/oauth2/*") AND http_method="POST" AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2025-66629

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.6th percentile)

Published: December 5, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2b Patch
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66629, you might also want to check these: