Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70845

CVE-2025-70845: lty628 aidigu XSS Vulnerability

CVE-2025-70845 is a Cross Site Scripting flaw in lty628 aidigu v1.9.1 affecting the /setting/ page intro field. This article covers technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-70845 Overview

CVE-2025-70845 is a stored Cross-Site Scripting (XSS) vulnerability in lty628 aidigu version 1.9.1. The flaw exists in the /setting/ page, where the intro field is not properly sanitized or escaped before being rendered. An attacker can inject arbitrary JavaScript into the intro profile field, which then executes in the browser of any user who views the affected profile content. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated attackers can persist malicious JavaScript in user profiles, enabling session theft, credential harvesting, and unauthorized actions performed in the context of any victim who views the injected content.

Affected Products

  • lty628 aidigu version 1.9.1
  • The /setting/ page handling the intro profile field
  • Deployments referencing the aidigu GitHub repository

Discovery Timeline

  • 2026-02-12 - CVE-2025-70845 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-70845

Vulnerability Analysis

The vulnerability is a stored XSS condition affecting the user settings workflow in aidigu v1.9.1. When a user submits content to the intro field on the /setting/ page, the application stores the input without applying output encoding or HTML sanitization. When the stored value is later rendered in a victim's browser, embedded HTML and JavaScript execute in the security context of the application.

Exploitation requires user interaction, as a victim must load the page that renders the malicious intro value. Because the attack changes the executing security scope, payloads can access cookies, perform requests authenticated as the victim, and modify rendered page content. The Exploit Prediction Scoring System (EPSS) places the probability of exploitation at 0.039%, and no public exploit or active exploitation has been reported.

Root Cause

The root cause is missing output encoding on the intro field handled by the /setting/ endpoint. The application accepts arbitrary characters, including <, >, and quote characters, and reflects them into HTML responses without contextual escaping. This violates the principle of treating all user-supplied data as untrusted at render time.

Attack Vector

An attacker authenticates to the application and submits a crafted payload in the intro field through the /setting/ page. The payload is stored server-side and later rendered to other users or administrators who navigate to a page that displays the attacker's profile data. Because the payload executes in the victim's browser session, it can hijack sessions, exfiltrate tokens, or perform actions through the application's existing UI flows. Refer to the vulnerability research repository for technical details.

Detection Methods for CVE-2025-70845

Indicators of Compromise

  • Stored profile intro values containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...>.
  • Outbound browser requests from authenticated sessions to attacker-controlled hosts originating after rendering a profile page.
  • Unexpected DOM modifications or JavaScript errors reported on pages that display user profile data.

Detection Strategies

  • Audit the database column backing the intro field for entries containing HTML or JavaScript syntax.
  • Inspect web server access logs for POST requests to /setting/ containing URL-encoded <script> or event handler payloads.
  • Deploy a Content Security Policy (CSP) in report-only mode to identify inline script execution and unexpected script sources.

Monitoring Recommendations

  • Enable verbose request logging on the /setting/ endpoint, including request bodies, to capture injection attempts.
  • Monitor authenticated user activity for anomalous outbound requests immediately after profile page loads.
  • Alert on CSP violation reports referencing inline event handlers or third-party script origins.

How to Mitigate CVE-2025-70845

Immediate Actions Required

  • Restrict access to the /setting/ page to trusted users until a patch is applied.
  • Sanitize existing intro field data in the database by stripping or encoding HTML markup.
  • Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources.

Patch Information

No official vendor patch is listed in the NVD record for CVE-2025-70845 at this time. Monitor the aidigu GitHub repository for upstream fixes and apply any new releases that address output encoding on the intro field. Until a vendor patch is available, apply the workarounds below.

Workarounds

  • Apply server-side HTML encoding to the intro field before rendering, encoding <, >, ", ', and & characters.
  • Use a vetted HTML sanitization library to strip disallowed tags and attributes from user-submitted profile content.
  • Set the HttpOnly and SameSite=Strict flags on session cookies to limit the impact of session theft via XSS.
  • Place a Web Application Firewall (WAF) rule in front of /setting/ to block requests containing common XSS payload patterns.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.