CVE-2025-68927 Overview
Libredesk, a self-hosted customer support desk application, contains a stored HTML injection vulnerability in the contact notes feature. Versions prior to 0.8.6-beta fail to sanitize user-supplied HTML when notes are submitted via POST /api/v1/contacts/{id}/notes. The backend wraps input in <p> tags, but an attacker who intercepts the request and strips the wrapping tag can inject arbitrary HTML elements such as forms and images. The injected markup is then stored and rendered without proper sanitization, enabling phishing, CSRF-style forced actions, and UI redress attacks. The issue is tracked as [CWE-79] and was patched in version 0.8.6-beta.
Critical Impact
Authenticated users can persist malicious HTML in contact notes, which is later rendered to support agents and can be leveraged for credential theft, forced actions, and clickjacking.
Affected Products
- Libredesk versions prior to 0.8.6-beta
- Component: libredesk:libredesk
- Fixed release: 0.8.6-beta
Discovery Timeline
- 2025-12-27 - CVE-2025-68927 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68927
Vulnerability Analysis
The vulnerability resides in the contact notes handling logic of Libredesk. When an authenticated user submits a note through POST /api/v1/contacts/{id}/notes, the backend automatically wraps the provided text in <p> tags before storing it. This wrapping was the only structural transformation applied, and the backend relied on the frontend Vue components to sanitize rendered output.
On the frontend, both ContactNotes.vue and CommandBox.vue rendered stored note content using the v-dompurify-html directive with the native-html class. However, because an attacker can intercept the outbound request and remove the wrapping <p> tag, the resulting payload bypasses assumptions made by downstream rendering logic. The stored HTML is later served to any user viewing the contact, including support agents.
Root Cause
The root cause is missing server-side output sanitization combined with fragile client-side rendering. The application trusted intercepted client input and stored raw HTML rather than escaping or filtering dangerous tags such as <form>, <img>, <iframe>, and event-handler attributes before persistence.
Attack Vector
An attacker with permissions to add contact notes intercepts the API call and injects arbitrary HTML. When another authenticated user opens the contact, the injected content renders in their browser session. This enables phishing forms mimicking the Libredesk login, forced navigation via CSRF, and layered UI redress that tricks agents into clicking hidden controls.
// Patch: frontend/src/features/contact/ContactNotes.vue
<!-- Note content -->
<CardContent class="pt-4 pb-5">
- <p class="whitespace-pre-wrap text-sm native-html" v-dompurify-html="note.note"></p>
+ <Letter
+ :html="note.note"
+ :allowedSchemas="['cid', 'https', 'http', 'mailto']"
+ class="whitespace-pre-wrap text-sm native-html"
+ />
</CardContent>
// Source: https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
The patch replaces v-dompurify-html rendering with the vue-letterLetter component and restricts allowed URL schemas to cid, https, http, and mailto. The same replacement is applied in CommandBox.vue for the reply preview.
Detection Methods for CVE-2025-68927
Indicators of Compromise
- Contact note records containing raw HTML tags such as <form>, <iframe>, <img onerror=...>, or <script> in the note field.
- Requests to POST /api/v1/contacts/{id}/notes whose bodies contain HTML markup outside a single wrapping <p> tag.
- Outbound requests from agent browsers to unexpected domains after viewing a contact profile.
Detection Strategies
- Query the Libredesk database for notes containing tag characters (<, >) or attribute patterns like onerror=, onclick=, or action=.
- Review reverse proxy logs for POST requests to the notes endpoint with unusually large or HTML-heavy bodies.
- Inspect browser Content Security Policy violation reports generated when agents render contact notes.
Monitoring Recommendations
- Alert on new contact notes containing HTML tags other than a wrapping paragraph element.
- Monitor agent workstations for anomalous form submissions or redirects following contact page views.
- Track version strings reported by Libredesk instances to confirm all deployments are running 0.8.6-beta or later.
How to Mitigate CVE-2025-68927
Immediate Actions Required
- Upgrade Libredesk to version 0.8.6-beta or later, which replaces v-dompurify-html rendering with the vue-letterLetter component and enforces an allowed URL schema list.
- Audit existing contact notes for stored HTML payloads and remove or neutralize any malicious content before agents re-open affected records.
- Rotate session tokens and credentials for any agent who viewed suspect contact notes prior to remediation.
Patch Information
The fix is available in the upstream commit 270347849943ac6a43e9fd6ebdc99c71841900eb and is documented in the Libredesk GitHub Security Advisory GHSA-wh6m-h6f4-rjf4. Upgrading to 0.8.6-beta applies the sanitized rendering path in both ContactNotes.vue and CommandBox.vue.
Workarounds
- Restrict which user roles can create or edit contact notes until the patch is applied.
- Deploy a strict Content Security Policy that blocks inline event handlers and disallows form submissions to third-party origins.
- Place Libredesk behind a web application firewall rule that rejects POST /api/v1/contacts/{id}/notes bodies containing tags such as <form>, <iframe>, or <script>.
# Example WAF/reverse proxy rule (nginx) to block HTML-heavy note submissions
location ~ ^/api/v1/contacts/[0-9]+/notes$ {
if ($request_method = POST) {
set $block 0;
if ($request_body ~* "<(script|iframe|form|object|embed)\b") { set $block 1; }
if ($block = 1) { return 403; }
}
proxy_pass http://libredesk_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

