CVE-2025-27608

Name of the Vulnerable Software and Affected Versions Arduino IDE versions prior to 2.3.5

Description A Self Cross-Site Scripting (XSS) vulnerability has been identified in the Arduino IDE. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected.

Recommendations For versions prior to 2.3.5, update to version 2.3.5 to resolve the issue. As a temporary workaround, consider avoiding the use of the Additional Board Manager URLs field until the update is applied. Restrict access to this field to minimize the risk of exploitation.