CVE-2025-68467

Name of the Vulnerable Software and Affected Versions Dark Reader versions prior to 4.9.117 Dark Reader versions 4.9.117 through 4.9.118

Description Dark Reader, a browser extension designed to enable dark mode on web pages, had a flaw where a website could potentially request style sheets from a locally running web server, such as http://localhost:8080/style.css, if the address was known and returned a text/css content type. This was due to the extension's handling of cross-origin style sheets, specifically when parsing and storing their content. The issue stemmed from how the extension analyzed CSS style sheets, potentially allowing access to local resources. The problem was addressed by switching to the Constructed Style Sheets API and removing the storage of cross-origin style sheet content in the page's Session Storage.

Recommendations Dark Reader versions prior to 4.9.117 should be updated to version 4.9.117 or later. Users running manual builds should upgrade to version 4.9.118 or later. Developers using the darkreader NPM package should ensure the function passed to setFetchMethod() for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader should review their implementation to ensure cross-origin requests are handled securely.