CVE-2025-64177 Overview
CVE-2025-64177 is a stored Cross-Site Scripting (XSS) vulnerability in ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript. The flaw affects versions 0.6.7 and below and stems from missing scheme filtering on bookmark URLs. An attacker with the ability to create or modify a bookmark can inject a malicious URI scheme, such as javascript:, that executes arbitrary JavaScript when another user clicks the bookmark. The issue is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation and is fixed in version 0.6.8.
Critical Impact
Attackers can execute arbitrary JavaScript in the victim's browser session, enabling session token theft, dashboard manipulation, and pivoting to other browser-accessible resources.
Affected Products
- ThinkDashboard versions 0.6.7 and below
- Vendor: matiasdesuu
- Fixed in ThinkDashboard 0.6.8
Discovery Timeline
- 2025-11-06 - CVE-2025-64177 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64177
Vulnerability Analysis
ThinkDashboard stores user-supplied bookmark URLs and renders them as clickable links in the dashboard interface. Prior to version 0.6.8, the application did not validate or filter the URI scheme portion of a bookmark URL. This omission allowed an attacker to save a bookmark whose target used a script-executing pseudo-scheme such as javascript: in place of http: or https:. When any user of the dashboard clicked the malicious bookmark, the browser evaluated the attacker-controlled payload in the origin of the ThinkDashboard application.
Because the payload executes in the authenticated context of the victim, it can read session cookies not marked HttpOnly, invoke authenticated API endpoints on the dashboard, and modify or exfiltrate stored bookmark data. Exploitation requires user interaction, which limits automated mass exploitation but remains practical in shared or multi-user deployments.
Root Cause
The root cause is missing input validation on the bookmark URL field. The application accepted any string as a URL and rendered it directly into an anchor tag's href attribute without enforcing an allowlist of safe schemes such as http, https, mailto, or ftp. The fix in commit 16976263b22a4b0526b2c7c30294cc099258edae introduces scheme filtering to reject javascript:, data:, and other executable URI schemes.
Attack Vector
An attacker with permission to add or edit bookmarks submits a bookmark whose URL begins with javascript: followed by an arbitrary payload. The malicious entry persists in the dashboard datastore. When a legitimate user later clicks the bookmark tile, the payload runs in the dashboard's origin. Refer to the GitHub Security Advisory GHSA-57f2-rhxm-fjv3 for the maintainer's technical description.
Detection Methods for CVE-2025-64177
Indicators of Compromise
- Bookmark records containing URL values that begin with javascript:, data:, vbscript:, or other non-network schemes.
- Unexpected outbound requests from user browsers to attacker-controlled hosts immediately after loading the dashboard.
- Session cookie access or account activity originating from IP addresses that do not match the user's normal pattern.
Detection Strategies
- Audit the ThinkDashboard bookmark datastore for entries whose stored URL does not begin with http:// or https://.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts triggered by clicked bookmarks.
- Review web server access logs for anomalous referer patterns originating from the dashboard host that indicate exfiltration callbacks.
Monitoring Recommendations
- Alert on any HTTP request from the dashboard containing encoded fragments of javascript: or <script> in bookmark creation endpoints.
- Monitor multi-user ThinkDashboard instances for privilege changes or bookmark modifications performed shortly after another user's login.
- Correlate browser telemetry with dashboard activity to identify cross-user script execution events.
How to Mitigate CVE-2025-64177
Immediate Actions Required
- Upgrade ThinkDashboard to version 0.6.8 or later without delay.
- Inspect all existing bookmarks and delete any entry whose URL uses a non-network scheme.
- Rotate session tokens and force reauthentication for all dashboard users after upgrade.
Patch Information
The vulnerability is fixed in ThinkDashboard 0.6.8. The upstream patch is available in GitHub commit 16976263, which adds scheme filtering to reject javascript: and other executable URI schemes before rendering bookmarks. Users tracking the project should also review the GHSA-57f2-rhxm-fjv3 advisory for release notes.
Workarounds
- Restrict bookmark creation privileges to trusted administrators until the upgrade is applied.
- Place ThinkDashboard behind a reverse proxy that enforces a strict Content Security Policy blocking inline script execution.
- Instruct users to avoid clicking bookmarks added by others until the deployment is on version 0.6.8.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

