Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64177

CVE-2025-64177: ThinkDashboard Stored XSS Vulnerability

CVE-2025-64177 is a stored Cross-Site Scripting flaw in Matiasdesuu ThinkDashboard affecting versions 0.6.7 and below. Attackers exploit this via malicious bookmarks. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-64177 Overview

CVE-2025-64177 is a stored Cross-Site Scripting (XSS) vulnerability in ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript. The flaw affects versions 0.6.7 and below and stems from missing scheme filtering on bookmark URLs. An attacker with the ability to create or modify a bookmark can inject a malicious URI scheme, such as javascript:, that executes arbitrary JavaScript when another user clicks the bookmark. The issue is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation and is fixed in version 0.6.8.

Critical Impact

Attackers can execute arbitrary JavaScript in the victim's browser session, enabling session token theft, dashboard manipulation, and pivoting to other browser-accessible resources.

Affected Products

  • ThinkDashboard versions 0.6.7 and below
  • Vendor: matiasdesuu
  • Fixed in ThinkDashboard 0.6.8

Discovery Timeline

  • 2025-11-06 - CVE-2025-64177 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64177

Vulnerability Analysis

ThinkDashboard stores user-supplied bookmark URLs and renders them as clickable links in the dashboard interface. Prior to version 0.6.8, the application did not validate or filter the URI scheme portion of a bookmark URL. This omission allowed an attacker to save a bookmark whose target used a script-executing pseudo-scheme such as javascript: in place of http: or https:. When any user of the dashboard clicked the malicious bookmark, the browser evaluated the attacker-controlled payload in the origin of the ThinkDashboard application.

Because the payload executes in the authenticated context of the victim, it can read session cookies not marked HttpOnly, invoke authenticated API endpoints on the dashboard, and modify or exfiltrate stored bookmark data. Exploitation requires user interaction, which limits automated mass exploitation but remains practical in shared or multi-user deployments.

Root Cause

The root cause is missing input validation on the bookmark URL field. The application accepted any string as a URL and rendered it directly into an anchor tag's href attribute without enforcing an allowlist of safe schemes such as http, https, mailto, or ftp. The fix in commit 16976263b22a4b0526b2c7c30294cc099258edae introduces scheme filtering to reject javascript:, data:, and other executable URI schemes.

Attack Vector

An attacker with permission to add or edit bookmarks submits a bookmark whose URL begins with javascript: followed by an arbitrary payload. The malicious entry persists in the dashboard datastore. When a legitimate user later clicks the bookmark tile, the payload runs in the dashboard's origin. Refer to the GitHub Security Advisory GHSA-57f2-rhxm-fjv3 for the maintainer's technical description.

Detection Methods for CVE-2025-64177

Indicators of Compromise

  • Bookmark records containing URL values that begin with javascript:, data:, vbscript:, or other non-network schemes.
  • Unexpected outbound requests from user browsers to attacker-controlled hosts immediately after loading the dashboard.
  • Session cookie access or account activity originating from IP addresses that do not match the user's normal pattern.

Detection Strategies

  • Audit the ThinkDashboard bookmark datastore for entries whose stored URL does not begin with http:// or https://.
  • Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts triggered by clicked bookmarks.
  • Review web server access logs for anomalous referer patterns originating from the dashboard host that indicate exfiltration callbacks.

Monitoring Recommendations

  • Alert on any HTTP request from the dashboard containing encoded fragments of javascript: or <script> in bookmark creation endpoints.
  • Monitor multi-user ThinkDashboard instances for privilege changes or bookmark modifications performed shortly after another user's login.
  • Correlate browser telemetry with dashboard activity to identify cross-user script execution events.

How to Mitigate CVE-2025-64177

Immediate Actions Required

  • Upgrade ThinkDashboard to version 0.6.8 or later without delay.
  • Inspect all existing bookmarks and delete any entry whose URL uses a non-network scheme.
  • Rotate session tokens and force reauthentication for all dashboard users after upgrade.

Patch Information

The vulnerability is fixed in ThinkDashboard 0.6.8. The upstream patch is available in GitHub commit 16976263, which adds scheme filtering to reject javascript: and other executable URI schemes before rendering bookmarks. Users tracking the project should also review the GHSA-57f2-rhxm-fjv3 advisory for release notes.

Workarounds

  • Restrict bookmark creation privileges to trusted administrators until the upgrade is applied.
  • Place ThinkDashboard behind a reverse proxy that enforces a strict Content Security Policy blocking inline script execution.
  • Instruct users to avoid clicking bookmarks added by others until the deployment is on version 0.6.8.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.