CVE-2025-68935 Overview
CVE-2025-68935 is a stored cross-site scripting (XSS) vulnerability in ONLYOFFICE Docs (DocumentServer) versions prior to 9.2.1. The flaw resides in the Font field of the Multilevel list settings window, where user-supplied input is rendered without proper sanitization. An attacker can inject arbitrary JavaScript that executes in the context of another user's browser session when the affected UI element is rendered.
The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation) and requires user interaction to trigger. Successful exploitation can lead to session hijacking, data theft within the document editor, and unauthorized actions performed on behalf of the victim.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser session, enabling document data theft, session compromise, and unauthorized editor actions.
Affected Products
- ONLYOFFICE Document Server versions prior to 9.2.1
- ONLYOFFICE Docs deployments embedding the vulnerable DocumentServer component
- Third-party integrations bundling ONLYOFFICE DocumentServer below 9.2.1
Discovery Timeline
- 2025-12-25 - CVE-2025-68935 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68935
Vulnerability Analysis
The vulnerability is a client-side stored XSS flaw in the DocumentServer web interface. When a user configures Multilevel list settings, the Font field accepts input that is later inserted into the rendered document editor DOM without adequate output encoding. An attacker who can influence this field, either through a shared document or a malicious template, can embed JavaScript payloads that execute when the settings window renders the value.
The scope is marked as changed, meaning the injected script executes in a security context different from the vulnerable component. Confidentiality and integrity impacts are limited but real, since scripts can read editor state, exfiltrate document content, and perform authenticated actions within the collaborative editor. Availability is not directly affected.
Exploitation requires user interaction. A victim must open a document or view a list configuration containing the malicious font value. Because ONLYOFFICE Docs is commonly embedded into collaboration platforms, the blast radius extends to any application that renders documents through the vulnerable DocumentServer.
Root Cause
The root cause is missing or insufficient output encoding of the Font field value in the Multilevel list settings component. The DocumentServer front-end treats the value as trusted markup rather than opaque text, allowing HTML and script constructs to be interpreted by the browser.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a document or list configuration containing a malicious payload in the Font field. When a target user opens or edits the document, the payload executes in their browser under the origin serving DocumentServer.
No verified proof-of-concept has been published. For technical remediation details, consult the ONLYOFFICE DocumentServer 9.2.1 changelog.
Detection Methods for CVE-2025-68935
Indicators of Compromise
- Documents containing unusual HTML tags, <script> elements, or JavaScript event handler attributes embedded in list style or font metadata.
- Browser console errors or Content Security Policy (CSP) violations originating from the DocumentServer editor origin.
- Outbound HTTP requests from user browsers to unexpected domains initiated while editing ONLYOFFICE documents.
Detection Strategies
- Inspect stored documents and templates for markup patterns in list configuration fields that should contain only plain font names.
- Enable and monitor CSP reporting on the DocumentServer origin to surface inline script execution attempts.
- Review DocumentServer access logs for anomalous document open patterns preceding suspicious user session activity.
Monitoring Recommendations
- Track editor session anomalies such as unexpected token use, cookie access, or API calls originating from document viewers.
- Alert on DocumentServer versions reported below 9.2.1 in asset inventory and vulnerability management tooling.
- Correlate web proxy telemetry with document access events to detect data exfiltration following document rendering.
How to Mitigate CVE-2025-68935
Immediate Actions Required
- Upgrade all ONLYOFFICE DocumentServer instances to version 9.2.1 or later.
- Audit shared documents and templates for injected payloads in list font metadata and remove suspicious entries.
- Rotate session tokens and API keys for users who may have opened untrusted documents on vulnerable versions.
Patch Information
ONLYOFFICE addressed the vulnerability in DocumentServer 9.2.1. Details are documented in the ONLYOFFICE DocumentServer Changelog. Administrators should follow standard ONLYOFFICE upgrade procedures for their deployment type (Docker, Linux package, or Windows installer).
Workarounds
- Restrict document upload and editing privileges to trusted users until patching is complete.
- Enforce a strict Content Security Policy on the DocumentServer origin to block inline script execution.
- Isolate the DocumentServer web origin from sensitive application cookies using separate subdomains and SameSite cookie attributes.
# Example: verify installed ONLYOFFICE DocumentServer version and upgrade
dpkg -l | grep onlyoffice-documentserver
# Debian/Ubuntu upgrade path
sudo apt-get update
sudo apt-get install --only-upgrade onlyoffice-documentserver
# Docker upgrade path
docker pull onlyoffice/documentserver:9.2.1
docker stop onlyoffice-documentserver && docker rm onlyoffice-documentserver
docker run -i -t -d -p 80:80 --name onlyoffice-documentserver onlyoffice/documentserver:9.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

