CVE-2025-65858 Overview
A Stored Cross-Site Scripting (XSS) vulnerability exists in Calibre-Web v0.6.25 that allows attackers to inject malicious JavaScript into the username field during user creation. The payload is stored unsanitized in the application database and later executed when the /ajax/listusers endpoint is accessed. This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers with administrative privileges can inject persistent JavaScript code that executes in the browser context of other administrators viewing user lists, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of legitimate users.
Affected Products
- Calibre-Web v0.6.25
Discovery Timeline
- 2025-12-02 - CVE-2025-65858 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-65858
Vulnerability Analysis
This Stored XSS vulnerability exists in Calibre-Web's user management functionality. The application fails to properly sanitize user input in the username field when creating new user accounts. When an attacker with sufficient privileges (typically administrator) creates a new user account, they can embed malicious JavaScript code within the username parameter. This malicious payload is then stored in the application's database without proper encoding or sanitization.
The CVSS v3.1 score is 3.5 (Low) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. This indicates:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low - straightforward to exploit
- Privileges Required: High - attacker needs administrative access
- User Interaction: Required - victim must access the affected endpoint
- Scope: Unchanged - impact limited to the vulnerable component
- Confidentiality/Integrity Impact: Low
- Availability Impact: None
The EPSS (Exploit Prediction Scoring System) data shows a probability of 0.029% with a percentile of 7.516, indicating relatively low likelihood of exploitation in the wild.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in the Calibre-Web application. Specifically, the application does not sanitize special characters and HTML/JavaScript content in the username field during user creation. Additionally, when the user list is rendered via the /ajax/listusers endpoint, the stored username values are reflected in the HTML response without proper output encoding, allowing the injected scripts to execute in the victim's browser.
Attack Vector
The attack requires network access and elevated privileges within the Calibre-Web application. An attacker with administrative access to the user management functionality can craft a malicious username containing JavaScript code. When this payload is submitted through the user creation form, it is stored in the database. Subsequently, when any administrator navigates to view the user list via the /ajax/listusers endpoint, the malicious JavaScript executes in their browser context.
The vulnerability could be exploited to steal session cookies, perform actions on behalf of other administrators, redirect users to malicious sites, or modify page content to facilitate further social engineering attacks.
Detection Methods for CVE-2025-65858
Indicators of Compromise
- Suspicious usernames in the Calibre-Web database containing HTML tags, script elements, or encoded JavaScript payloads
- Unusual characters or escape sequences in user account names (e.g., <script>, javascript:, onerror=, onload=)
- Web application firewall (WAF) logs showing XSS payload patterns in user creation requests
- Browser console errors or unexpected script execution when viewing the /ajax/listusers endpoint
Detection Strategies
Organizations should implement monitoring for XSS patterns in user input fields, particularly focusing on the user creation and management endpoints. Web application firewalls can be configured to detect and block common XSS payloads in POST requests to user management APIs. Regular security audits of the database for suspicious content in username fields can help identify existing compromises.
Log analysis should focus on:
- HTTP POST requests to user creation endpoints containing suspicious characters
- Access patterns to the /ajax/listusers endpoint following user creation events
- Any unusual JavaScript execution or network requests originating from the application domain
Monitoring Recommendations
Enable detailed logging for all user management operations within Calibre-Web. Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation. Deploy browser-based XSS auditing tools and monitor for violations. Consider implementing real-time alerting for any database entries containing potentially malicious script content.
How to Mitigate CVE-2025-65858
Immediate Actions Required
- Audit existing user accounts in Calibre-Web for suspicious or malicious content in username fields
- Implement input validation to reject usernames containing HTML tags, script elements, or other potentially dangerous characters
- Apply output encoding when rendering usernames in the /ajax/listusers endpoint and any other user-facing interfaces
- Restrict administrative access to trusted personnel only until a patch is available
- Deploy Content Security Policy (CSP) headers to reduce the impact of any successful XSS attacks
Patch Information
As of the publication date, users should check the official Calibre-Web repository for security updates addressing this vulnerability. Monitor the GitHub security advisory for additional details and remediation guidance.
Organizations should:
- Check for updated versions of Calibre-Web that address this vulnerability
- Review the project's changelog and security advisories regularly
- Subscribe to security mailing lists for timely notification of patches
Workarounds
Until an official patch is available, organizations can implement the following workarounds:
Input Sanitization at Web Server Level: Configure your reverse proxy or web server to filter XSS patterns in incoming requests to user management endpoints.
Content Security Policy: Implement strict CSP headers to prevent inline script execution:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Database Cleanup: Manually review and sanitize existing usernames in the database to remove any injected payloads.
Access Restriction: Limit administrative access to the minimum number of trusted users and implement network-level access controls to the admin interface.
WAF Rules: Deploy web application firewall rules to detect and block common XSS payload patterns targeting the user creation functionality.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
