Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-52558

CVE-2025-52558: changedetection.io XSS Vulnerability

CVE-2025-52558 is a cross-site scripting flaw in changedetection.io caused by unfiltered errors in website page change detection watches. This post covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-52558 Overview

CVE-2025-52558 is a cross-site scripting (XSS) vulnerability in changedetection.io, an open source web page change detection, website watcher, restock monitor, and notification service. Versions prior to 0.50.4 fail to sanitize errors generated from filters in website page change detection watches. An attacker can inject malicious script content that executes in the browser context of users viewing the affected watch errors. The maintainers patched the issue in version 0.50.4. The flaw is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated or unauthenticated attackers can trigger script execution in user browsers through unfiltered filter error output, enabling session theft and UI manipulation.

Affected Products

  • changedetection.io versions prior to 0.50.4
  • Self-hosted changedetection.io deployments
  • Docker-based changedetection.io installations using vulnerable image tags

Discovery Timeline

  • 2025-06-23 - CVE-2025-52558 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-52558

Vulnerability Analysis

The vulnerability resides in how changedetection.io renders error output produced by watch filters. When a user configures a filter such as a CSS selector, XPath expression, or JSON path for monitoring a web page, the application may produce an error message when the filter cannot be applied or returns invalid content. Prior to version 0.50.4, that error output was rendered to the web interface without proper HTML encoding.

An attacker who can influence filter content, the monitored page content, or error-producing input can inject HTML or JavaScript that the browser executes when a user views the watch. The impact includes session hijacking, credential theft through DOM manipulation, and unauthorized actions performed under the authenticated user's session.

Root Cause

The root cause is missing output encoding on filter error strings before they are written to HTML templates. The application treated error text as trusted output rather than untrusted user-influenced content, violating the contextual escaping requirement defined in [CWE-79].

Attack Vector

Exploitation requires a network-reachable changedetection.io instance and user interaction to view the watch containing the malicious filter error. An attacker can craft a malicious watch configuration on a shared instance, or influence a monitored page so the filter pipeline emits an error containing attacker-controlled markup. When the victim opens the watch view, the injected script executes.

No verified public proof-of-concept code is available for this issue. Technical detail is documented in the GitHub Security Advisory GHSA-hwpg-x5hw-vpv9 and the upstream commit.

Detection Methods for CVE-2025-52558

Indicators of Compromise

  • Watch filter configurations containing HTML tags such as <script>, <img onerror=, or <svg onload= within selectors or paths.
  • Unexpected JavaScript execution or DOM modification when viewing watch error pages in changedetection.io.
  • Outbound requests from administrator browsers to attacker-controlled domains after viewing a watch.

Detection Strategies

  • Review server logs for HTTP requests to /edit/, /preview/, or watch detail endpoints containing encoded HTML payloads in query parameters or POST bodies.
  • Inspect stored watch filter fields in the changedetection.io datastore for markup or script tokens that should not appear in valid CSS, XPath, or JSON selectors.
  • Correlate authenticated session activity with anomalous outbound browser traffic from administrative workstations.

Monitoring Recommendations

  • Enable web server access logging and forward logs to a centralized analytics platform for query-based hunting against changedetection.io endpoints.
  • Deploy Content Security Policy (CSP) reporting to capture script execution violations in the changedetection.io web UI.
  • Monitor the changedetection.io container or process for unexpected file writes to template directories that could indicate persistence attempts following an XSS-driven account takeover.

How to Mitigate CVE-2025-52558

Immediate Actions Required

  • Upgrade changedetection.io to version 0.50.4 or later without delay.
  • Audit all existing watch configurations for filter content containing HTML or script markup and remove suspicious entries.
  • Rotate session cookies and API tokens for any account that may have viewed a malicious watch since deployment.

Patch Information

The fix is included in changedetection.io version 0.50.4. The remediation commit is 3d5a544ea674cfce517adcd498877a8d760d0931, which applies proper escaping to filter error output. Operators running Docker deployments should pull the updated image and redeploy. Additional context is available in the GitHub Security Advisory GHSA-hwpg-x5hw-vpv9.

Workarounds

  • Restrict access to the changedetection.io web UI to trusted users behind authentication and network controls until the patch is applied.
  • Enforce a strict Content Security Policy that disallows inline scripts on the changedetection.io origin to limit XSS payload execution.
  • Limit which users can create or modify watches, reducing the population of accounts that can introduce malicious filter content.
bash
# Upgrade example for Docker-based deployments
docker pull ghcr.io/dgtlmoon/changedetection.io:0.50.4
docker stop changedetection
docker rm changedetection
docker run -d --name changedetection \
  -p 5000:5000 \
  -v /opt/changedetection-data:/datastore \
  ghcr.io/dgtlmoon/changedetection.io:0.50.4

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne