CVE-2025-32391

Name of the Vulnerable Software and Affected Versions: HedgeDoc versions prior to 1.10.3

Description: The issue arises when a malicious SVG file is uploaded to HedgeDoc, potentially leading to cross-site scripting (XSS) when the file is opened in a new tab. This is possible due to the exploitation of JSONP capabilities in GitHub Gist embeddings. Only instances with specific configurations, such as the local filesystem upload backend or where uploads are served from the same domain as HedgeDoc, are affected.

Recommendations: For versions prior to 1.10.3, upgrade to HedgeDoc 1.10.3 to resolve the issue. As a temporary workaround for instances that cannot be upgraded to 1.10.3, add the following headers for all routes under /uploads: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, remove external URLs in the script-src attribute of the Content-Security-Policy header.