CVE-2025-66563 Overview
CVE-2025-66563 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in Monkeytype, a minimalistic and customizable typing test application. Versions 25.49.0 and earlier improperly handle user input in quote submissions. The quote.text and quote.source fields are inserted directly into the DOM without adequate sanitization. When a moderator or user views a malicious quote submission, embedded HTML tags render in the browser. This allows attackers to execute arbitrary JavaScript in the victim's session.
Critical Impact
Attackers can submit quotes containing malicious HTML that executes JavaScript against moderators viewing the quote approval modal, enabling session hijacking and account compromise.
Affected Products
- Monkeytype versions 25.49.0 and earlier
- The quote-approve.ts frontend modal component
- Quote submission and review workflows
Discovery Timeline
- 2025-12-04 - CVE-2025-66563 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66563
Vulnerability Analysis
The vulnerability resides in the quote approval workflow of the Monkeytype frontend. User-submitted quote data flows from the submission endpoint into the moderator-facing approval modal without HTML escaping. Because the quote.text and quote.source fields concatenate directly into DOM strings, embedded <script> tags or event handlers execute when the modal renders.
Exploitation requires user interaction from a privileged reviewer opening the malicious submission. Once triggered, JavaScript runs in the origin context of the Monkeytype application. Attackers can steal authentication tokens, perform actions as the moderator, or pivot to further account takeover. The impact is amplified because moderators typically hold elevated privileges over content approval.
Root Cause
The root cause is missing output encoding when rendering user-controlled strings into HTML. The pre-patch code performed limited escaping using surrounding quotes and <textarea> tags, but neither approach neutralizes all HTML injection vectors. Attackers can break out of these contexts using crafted markup and execute script payloads.
Attack Vector
An attacker submits a quote containing HTML or JavaScript payloads through the public quote submission form. The malicious content persists in the pending quote queue. When a moderator opens the quote approval modal to review submissions, the payload renders and executes in the moderator's browser session.
// Security patch in frontend/src/ts/modals/quote-approve.ts
import { format } from "date-fns/format";
import AnimatedModal, { ShowOptions } from "../utils/animated-modal";
import { Quote } from "@monkeytype/schemas/quotes";
+import { escapeHTML } from "../utils/misc";
let quotes: Quote[] = [];
The patch imports an escapeHTML utility that neutralizes HTML metacharacters in quote.text and quote.source before insertion into the DOM. Source: GitHub Commit d6d062a
Detection Methods for CVE-2025-66563
Indicators of Compromise
- Quote submissions containing HTML tags such as <script>, <img onerror=>, or <svg onload=> in the text or source fields
- Unexpected outbound requests from moderator browsers to attacker-controlled domains during quote review
- Session token exfiltration events tied to moderator accounts shortly after quote approval activity
- Anomalous account modifications performed by moderator accounts without corresponding user actions
Detection Strategies
- Inspect the quote submission database for stored payloads containing HTML entities, event handler attributes, or javascript: URIs
- Deploy Content Security Policy (CSP) violation reporting to capture inline script execution attempts in the approval modal
- Monitor browser network telemetry from moderator sessions for connections to unfamiliar external domains
- Correlate quote submission timestamps with subsequent suspicious authenticated actions on moderator accounts
Monitoring Recommendations
- Log all quote submissions with source IP, user agent, and full submission payload for retroactive review
- Alert on quote content matching regular expressions for common XSS payload patterns
- Track failed and successful moderator authentication events for anomalies following quote review sessions
- Enable browser-side error reporting to detect script execution failures indicating attempted exploitation
How to Mitigate CVE-2025-66563
Immediate Actions Required
- Upgrade Monkeytype to the version containing commit d6d062a77132ba7d6ba3b482d46ae329d3b8d695 or later
- Audit the existing pending quote submission queue for stored HTML or JavaScript payloads and remove malicious entries
- Rotate authentication credentials and session tokens for any moderator accounts that reviewed submissions during the vulnerable window
- Review moderator account activity logs for signs of unauthorized actions following quote approvals
Patch Information
The fix is available in the Monkeytype GitHub repository. The patch introduces the escapeHTML utility from ../utils/misc and applies it to user-controlled fields before DOM insertion. Full advisory details are available in the GHSA-mfjh-9552-8g27 security advisory.
Workarounds
- Temporarily disable the community quote submission feature until the patch is deployed
- Enforce a strict Content Security Policy that blocks inline script execution and restricts script sources
- Apply server-side input validation to reject quote submissions containing HTML tags or JavaScript URI schemes
- Route quote approval workflows through an isolated browser profile to limit blast radius if exploitation occurs
# Example CSP header to mitigate inline script execution
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

