CVE-2025-53528
Vulnerability from cvelistv5
Published
2025-07-21 20:15
Modified
2025-07-23 15:01
Severity ?
EPSS score ?
Summary
Cadwyn is vulnerable to an XSS attack through its docs page
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53528",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T19:55:33.509222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T19:55:52.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cadwyn",
"vendor": "zmievsa",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T15:01:36.184Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
},
{
"name": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
}
],
"source": {
"advisory": "GHSA-2gxp-6r36-m97r",
"discovery": "UNKNOWN"
},
"title": "Cadwyn is vulnerable to an XSS attack through its docs page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53528",
"datePublished": "2025-07-21T20:15:17.464Z",
"dateReserved": "2025-07-02T15:15:11.514Z",
"dateUpdated": "2025-07-23T15:01:36.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53528\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-21T21:15:25.883\",\"lastModified\":\"2025-07-23T15:15:33.743\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \\\"/docs\\\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.\"},{\"lang\":\"es\",\"value\":\"Cadwyn crea un control de versiones de API moderno, similar a Stripe, basado en la comunidad y listo para producci\u00f3n en FastAPI. En las versiones 5.4.3 y anteriores, el par\u00e1metro de versi\u00f3n del endpoint \\\"/docs\\\" es vulnerable a un ataque XSS reflejado (Cross-Site Scripting). Este XSS permitir\u00eda a un atacante ejecutar c\u00f3digo JavaScript en la sesi\u00f3n de un usuario para cualquier aplicaci\u00f3n basada en Cadwyn mediante un ataque de un solo clic. La vulnerabilidad se ha corregido en la versi\u00f3n 5.4.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.