CVE-2025-46655

CVSS 3.1 Score 4.9 of 10 (medium)

Details

Published Apr 26, 2025

Updated: Apr 29, 2025

CWE ID 424

Summary

CVE-2025-46655 is a vulnerability affecting CodiMD versions up to 2.5.4. The software has a Content Security Policy (CSP) to prevent Cross-Site Scripting (XSS) attacks using JavaScript in uploaded SVG documents. However, this protection can be bypassed when different-origin file storage, like Amazon S3, is employed for hosting untrusted JavaScript content. It's important to note that the use of AWS for hosting untrusted JavaScript may be considered a user error, but the specific architecture within AWS might not support adding Content-Security-Policy headers to mitigate the risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/5jKKAv
https://www.cve.org/CVERecord?id=CVE-2025-46655
https://nvd.nist.gov/vuln/detail/CVE-2025-46655

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Know What Matters

For Customers

For Partners

CVE-2025-46655

CVSS 3.1 Score 4.9 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations