Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66459

CVE-2025-66459: Lookyloo XSS Vulnerability

CVE-2025-66459 is a cross-site scripting flaw in Lookyloo that triggers when URL capture fails with HTML elements in submission. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-66459 Overview

CVE-2025-66459 is a stored Cross-Site Scripting (XSS) vulnerability in Lookyloo, a web interface that captures website pages and displays a tree of domains that call each other. The flaw affects Lookyloo versions prior to 1.35.3. When a user submits a list of URLs to capture and one of those URLs contains an HTML element, a failed capture populates an error field with the malicious URL. The unsanitized error message renders in the browser, triggering script execution in the victim's session. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation and is fixed in version 1.35.3.

Critical Impact

Attackers can execute arbitrary JavaScript in the browser context of Lookyloo users, enabling session data theft, UI manipulation, and abuse of the analyst's captured investigation data.

Affected Products

  • Lookyloo versions prior to 1.35.3
  • Deployments exposing the URL capture submission workflow to untrusted users
  • Web templates in website/web/templates/tree.html and related capture views

Discovery Timeline

  • 2025-12-02 - CVE-2025-66459 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66459

Vulnerability Analysis

Lookyloo accepts a list of URLs from an authenticated or anonymous submitter and attempts to capture each one. When a capture fails, the application constructs an error message that embeds the offending URL verbatim. The URL is not neutralized before being written to the DOM via innerHTML, which allows an HTML element embedded in the URL string to be parsed and executed as markup rather than rendered as text.

The attack requires user interaction — a victim must view the capture results page containing the poisoned error field. Because Lookyloo is commonly deployed to investigate hostile URLs, analysts routinely open results for URLs supplied by external sources, making the interaction condition realistic in normal workflows.

Root Cause

The root cause is unsafe assignment to element.innerHTML when rendering capture data and error messages in front-end templates. The project previously relied on DOMPurify as a mitigation, but the sanitizer was not consistently applied across all sinks. Any code path writing attacker-controlled input to innerHTML without sanitization becomes an XSS sink.

Attack Vector

An attacker submits a URL containing an HTML payload — for example, an <img> tag with an onerror handler — to Lookyloo's capture endpoint. The capture fails, and the URL is stored as part of the error field. When any user later views the capture entry, the browser parses and executes the injected markup within the Lookyloo origin.

python
# Patch excerpt from website/web/default_csp.py
# Source: https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1
        "blob:",
        "'unsafe-inline'"
    ],
+   # jquery doesn't support that.
+   # 'require-trusted-types-for': "'script'",
    'frame-ancestors': [
        SELF,
    ],
html
<!-- Patch excerpt from website/web/templates/tree.html
     Source: https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442 -->
  window.addEventListener('DOMContentLoaded', (event) => {
-     document.getElementById("start_time").innerHTML = DOMPurify.sanitize(capture_starttime.toString());
+     document.getElementById("start_time").textContent = capture_starttime.toString();
      document.getElementById("content").classList.remove('container');
      document.getElementById("content").classList.add('container-fluid');
  });

The fix replaces innerHTML writes with textContent, which forces the browser to treat the value as literal text. A related commit removes the DOMPurify dependency entirely, eliminating a class of sanitizer-bypass risks.

Detection Methods for CVE-2025-66459

Indicators of Compromise

  • Capture entries whose error field contains HTML tags such as <script>, <img, <svg, or event-handler attributes like onerror= and onload=.
  • Outbound requests from analyst browsers to unexpected domains immediately after viewing a Lookyloo capture results page.
  • Anomalous JavaScript activity in browser telemetry originating from the Lookyloo origin, including new fetch or XMLHttpRequest calls to attacker infrastructure.

Detection Strategies

  • Inspect Lookyloo's stored capture database and log files for URL submissions containing angle brackets, quote characters, or URL-encoded equivalents (%3C, %3E).
  • Compare deployed asset hashes against the values in website/web/sri.txt from the 1.35.3 release to confirm patched files are in place.
  • Audit reverse-proxy access logs for POST requests to capture submission endpoints where the URL parameter contains HTML syntax.

Monitoring Recommendations

  • Enable web application firewall (WAF) rules that flag HTML tags and JavaScript event handlers within URL submission parameters.
  • Ship browser and endpoint telemetry from analyst workstations to a centralized data lake for correlation of unusual script execution on the Lookyloo origin.
  • Alert on any client-side console errors or Content Security Policy (CSP) violations reported from the Lookyloo web interface.

How to Mitigate CVE-2025-66459

Immediate Actions Required

  • Upgrade Lookyloo to version 1.35.3 or later, which removes vulnerable innerHTML sinks and replaces them with textContent.
  • Restrict access to the Lookyloo capture submission interface to trusted analysts using network controls or authenticated reverse proxy.
  • Review existing capture history for stored payloads and purge or quarantine entries containing HTML markup in URL or error fields.

Patch Information

The fix is available in Lookyloo 1.35.3. Relevant commits include 1850a34 which adjusts the Content Security Policy, 8c3ab96 which removes DOMPurify in favor of textContent, and 95cdc00 which patches tree.html. Full details are documented in the Lookyloo GitHub Security Advisory GHSA-hvmh-j2jx-48wg.

Workarounds

  • If patching is delayed, deploy a strict Content Security Policy that disallows inline scripts and unsafe event handlers on the Lookyloo origin.
  • Place Lookyloo behind an authenticating reverse proxy and limit URL submission to trusted internal users only.
  • Filter or reject capture submissions containing angle brackets or HTML entities at the ingress layer until the upgrade is complete.
bash
# Upgrade Lookyloo to the fixed release
cd /opt/lookyloo
git fetch --tags
git checkout v1.35.3
poetry install
# Restart the Lookyloo services
systemctl restart lookyloo

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.