CVE-2025-67906 – This vulnerability allows cross-site scripting ... (How to Fix)

Q: What is the severity of CVE-2025-67906?

CVE-2025-67906 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows cross-site scripting (XSS) attacks in MISP's workflow execution path. Attackers can inject malicious scripts that execute in users' browsers when viewing workflow execution details. All MISP instances running versions before 2.5.28 are affected.

📋 TL;DR

This vulnerability allows cross-site scripting (XSS) attacks in MISP's workflow execution path. Attackers can inject malicious scripts that execute in users' browsers when viewing workflow execution details. All MISP instances running versions before 2.5.28 are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: All versions before 2.5.28

Operating Systems: All platforms running MISP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the workflow execution path component specifically in app/View/Elements/Workflows/executionPath.ctp

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially compromising the entire MISP instance.

🟠

Likely Case

Session hijacking, credential theft, or defacement of workflow execution pages through injected JavaScript.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing malicious workflow execution) but XSS payloads are simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.28

Vendor Advisory: https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054

Restart Required: No

Instructions:

1. Backup your MISP instance. 2. Update to MISP version 2.5.28 or later. 3. Verify the fix by checking the patched file app/View/Elements/Workflows/executionPath.ctp.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement additional input validation for workflow execution data

# Custom validation in relevant controllers
# Sanitize user input before processing

Output Encoding

all

Apply proper output encoding in the affected template

# Modify executionPath.ctp to use h() or equivalent escaping
# Ensure all user-controlled data is properly escaped

🧯 If You Can't Patch

Implement WAF rules to block XSS payloads targeting workflow execution paths
Restrict access to workflow execution features to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check MISP version: if below 2.5.28, you are vulnerable. Examine app/View/Elements/Workflows/executionPath.ctp for missing output encoding.

Check Version:

php /var/www/MISP/app/Console/cake Admin getSetting MISP.version

Verify Fix Applied:

Verify MISP version is 2.5.28 or later. Check that app/View/Elements/Workflows/executionPath.ctp properly escapes user input.

📡 Detection & Monitoring

Log Indicators:

Unusual workflow execution patterns
JavaScript payloads in workflow-related logs
Multiple failed workflow execution attempts

Network Indicators:

HTTP requests containing script tags or JavaScript in workflow parameters
Unusual outbound connections from MISP users' browsers

SIEM Query:

source="misp.log" AND ("executionPath" OR "workflow") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-67906

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12th percentile)

Published: December 15, 2025

Last Updated: December 21, 2025

🔗 References

https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054 Patch
https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28 Release Notes
https://github.com/franckferman/CVE-2025-67906 Third Party Advisory
https://github.com/franckferman/GCVE-1-2025-0030 Third Party Advisory
https://vulnerability.circl.lu/vuln/gcve-1-2025-0031 Third Party Advisory
https://github.com/franckferman/CVE-2025-67906 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67906, you might also want to check these: