CVE-2025-46655

Name of the Vulnerable Software and Affected Versions CodiMD versions 2.5.4 and earlier

Description The issue concerns a bypass of the Content Security Policy (CSP) protection mechanism against Cross-Site Scripting (XSS) attacks through uploaded SVG documents containing JavaScript. This bypass can occur in certain cases of different-origin file storage, such as AWS S3, where the selected architecture does not have components that can insert Content-Security-Policy headers. It's noted that using AWS for hosting untrusted JavaScript content can be considered a user error.

Recommendations For CodiMD versions 2.5.4 and earlier, consider implementing an alternative security mechanism to protect against XSS attacks, such as validating and sanitizing user-uploaded content, especially SVG documents. As a temporary workaround, restrict the upload of SVG documents or ensure that all file storage solutions, including AWS S3, are configured to insert appropriate Content-Security-Policy headers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.