CVE-2025-49590

Name of the Vulnerable Software and Affected Versions CryptPad versions prior to 2025.3.0

Description The issue concerns the "Link Bouncer" functionality in CryptPad, a collaboration suite, which attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS). However, this filtering can be bypassed due to an "early allow" code path that occurs before the URI's protocol/scheme is checked, allowing a maliciously crafted URI to exploit this weakness.

Recommendations For versions prior to 2025.3.0, update to version 2025.3.0 to resolve the issue. As a temporary workaround, consider restricting the use of the "Link Bouncer" functionality until the update can be applied.