CVE-2025-68467 Overview
CVE-2025-68467 is an information disclosure vulnerability affecting Dark Reader, a popular browser extension that provides dark mode functionality by analyzing and modifying web page colors. The vulnerability exists in the extension's dynamic dark mode feature, which processes CSS style sheet files from web pages. Prior to version 4.9.117, when handling cross-origin style sheets, the extension stored parsed content in the page's Session Storage and used HTML Style Elements for parsing, potentially allowing malicious website authors to probe for locally running web servers by requesting style sheets from localhost addresses.
Critical Impact
A malicious website could potentially detect the presence of local web servers by crafting style sheet requests to known localhost URLs, enabling limited information disclosure about the user's local environment.
Affected Products
- Dark Reader browser extension versions prior to 4.9.117
- Custom forks and integrations based on earlier Dark Reader versions
- Applications using the darkreader NPM package with improperly scoped setFetchMethod() implementations
Discovery Timeline
- December 3, 2025 - Dark Reader releases version 4.9.117 with fix implementing Constructed Style Sheets API
- December 8, 2025 - Version 4.9.118 released with additional restrictions on cross-origin requests
- December 18, 2025 - No known exploit reported as of this date
- March 4, 2026 - CVE CVE-2025-68467 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2025-68467
Vulnerability Analysis
The vulnerability stems from how Dark Reader's dynamic dark mode feature handles cross-origin CSS style sheets. The extension analyzes web page colors by processing CSS files, and when these files are hosted on different domains than the page being viewed, the extension fetches them via a background worker. While the extension implemented security measures such as credential-less requests and content-type validation, the parsed style content was stored in the page's Session Storage and processed through HTML Style Elements. This design allowed website authors to potentially craft requests to locally running web servers (e.g., http://localhost:8080/style.css), which could reveal information about services running on the user's machine if the full URL was known in advance.
Root Cause
The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability arose from storing cross-origin style sheet contents in the page's Session Storage and using HTML Style Elements for parsing CSS declarations. This approach inadvertently exposed information about the success or failure of requests to local resources, creating an information leakage vector that could be exploited by malicious websites with prior knowledge of local service URLs.
Attack Vector
The attack requires network access and user interaction, with the attacker needing to lure a victim to a malicious website. The malicious site would include references to style sheets hosted on localhost or local IP addresses. While brute-force discovery of local services would be impractical due to performance impacts causing browser tab hangs, an attacker with prior knowledge of specific local service URLs could potentially confirm their existence. The attack crosses security boundaries (scope: changed) by allowing a web page to infer information about the user's local environment.
The exploitation mechanism relies on the extension's cross-origin style sheet fetching behavior. A malicious website author would craft HTML with style sheet links pointing to suspected local server addresses. When Dark Reader processes these pages, successful style sheet fetches would result in data being stored in Session Storage, while failed requests would not. This differential behavior could theoretically be observed to determine whether specific local services exist.
Detection Methods for CVE-2025-68467
Indicators of Compromise
- Unusual network requests from the browser to localhost or local IP addresses originating from Dark Reader extension context
- Web pages containing style sheet references to localhost, 127.0.0.1, or private IP ranges in suspicious contexts
- Session Storage entries containing CSS content from local network sources
- Browser extension logs showing cross-origin requests to non-standard ports on localhost
Detection Strategies
- Monitor browser network traffic for style sheet requests to localhost aliases and private IP addresses that originate from extension contexts
- Implement Content Security Policy (CSP) rules that restrict style sheet sources to known, trusted domains
- Review browser extension permissions and audit cross-origin request patterns for anomalies
- Deploy endpoint detection rules to identify web pages attempting to reference local resources through CSS imports
Monitoring Recommendations
- Enable browser developer tools network monitoring when visiting untrusted websites to observe extension behavior
- Implement network-level monitoring for unexpected connections to local services from browser processes
- Regularly audit installed browser extensions and verify they are running the latest versions
- Configure enterprise browser policies to enforce automatic extension updates
How to Mitigate CVE-2025-68467
Immediate Actions Required
- Update Dark Reader extension to version 4.9.118 or later immediately
- Verify automatic browser extension updates are enabled and not blocked by browser policies or network configurations
- For manual builds, upgrade to version 4.9.118 or above
- Developers using the darkreader NPM package should audit their setFetchMethod() implementations to ensure proper scope restrictions
Patch Information
The vulnerability has been addressed in two releases. Version 4.9.117, released on December 3, 2025, implemented a fix using the modern Constructed Style Sheets API and removed cross-origin style sheet storage from Session Storage. Version 4.9.118, released on December 8, 2025, added additional restrictions blocking cross-origin requests to localhost aliases, IP addresses, hosts with ports, and non-HTTPS resources. The vast majority of users received automatic updates within a week of release. For detailed information, see the GitHub Security Advisory.
Workarounds
- Temporarily disable the Dark Reader extension on sensitive browsing sessions until the update is confirmed installed
- Navigate to chrome://extensions (Chrome) or about:addons (Firefox) to verify the extension version is 4.9.118 or higher
- Developers maintaining custom forks should implement secure cross-origin request handling that restricts responses from being accessible outside the extension context
- Consider using browser profiles with minimal extensions for accessing sensitive local development environments
# Verify Dark Reader extension version in Chrome
# Navigate to: chrome://extensions
# Enable "Developer mode" toggle
# Locate Dark Reader and verify version >= 4.9.118
# For Firefox users
# Navigate to: about:addons
# Click on Dark Reader extension
# Verify version is 4.9.118 or higher
# For NPM package users, update dependency
npm update darkreader@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
