cvelistv5 - cve-2025-53528

CVE-2025-53528 (GCVE-0-2025-53528)

Vulnerability from cvelistv5 – Published: 2025-07-21 20:15 – Updated: 2025-07-23 15:01

Summary

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/zmievsa/cadwyn/security/adviso…	x_refsource_CONFIRM
	https://github.com/zmievsa/cadwyn/commit/b424ecd5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	zmievsa	cadwyn	Affected: < 5.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53528",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T19:55:33.509222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T19:55:52.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cadwyn",
          "vendor": "zmievsa",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-23T15:01:36.184Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
        },
        {
          "name": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
        }
      ],
      "source": {
        "advisory": "GHSA-2gxp-6r36-m97r",
        "discovery": "UNKNOWN"
      },
      "title": "Cadwyn is vulnerable to an XSS attack through its docs page"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53528",
    "datePublished": "2025-07-21T20:15:17.464Z",
    "dateReserved": "2025-07-02T15:15:11.514Z",
    "dateUpdated": "2025-07-23T15:01:36.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53528\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-21T21:15:25.883\",\"lastModified\":\"2025-07-23T15:15:33.743\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \\\"/docs\\\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.\"},{\"lang\":\"es\",\"value\":\"Cadwyn crea un control de versiones de API moderno, similar a Stripe, basado en la comunidad y listo para producci\u00f3n en FastAPI. En las versiones 5.4.3 y anteriores, el par\u00e1metro de versi\u00f3n del endpoint \\\"/docs\\\" es vulnerable a un ataque XSS reflejado (Cross-Site Scripting). Este XSS permitir\u00eda a un atacante ejecutar c\u00f3digo JavaScript en la sesi\u00f3n de un usuario para cualquier aplicaci\u00f3n basada en Cadwyn mediante un ataque de un solo clic. La vulnerabilidad se ha corregido en la versi\u00f3n 5.4.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53528\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-22T19:55:33.509222Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-22T19:55:41.448Z\"}}], \"cna\": {\"title\": \"Cadwyn is vulnerable to an XSS attack through its docs page\", \"source\": {\"advisory\": \"GHSA-2gxp-6r36-m97r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"zmievsa\", \"product\": \"cadwyn\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r\", \"name\": \"https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728\", \"name\": \"https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \\\"/docs\\\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-23T15:01:36.184Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53528\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-23T15:01:36.184Z\", \"dateReserved\": \"2025-07-02T15:15:11.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-21T20:15:17.464Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

PYSEC-2025-71

Vulnerability from pysec - Published: 2025-07-21 21:15 - Updated: 2025-07-23 15:24

Details

Impacted products

Name	purl
cadwyn	pkg:pypi/cadwyn

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cadwyn",
        "purl": "pkg:pypi/cadwyn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
            }
          ],
          "repo": "https://github.com/zmievsa/cadwyn",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.2.0",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "2.0.0",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.1.0",
        "2.1.0rc0",
        "2.1.0rc1",
        "2.2.0",
        "2.3.0",
        "2.3.0rc0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.4",
        "3.10.0",
        "3.10.1",
        "3.11.0",
        "3.11.1",
        "3.12.0",
        "3.12.1",
        "3.13.0",
        "3.14.0",
        "3.15.0",
        "3.15.1",
        "3.15.10",
        "3.15.2",
        "3.15.3",
        "3.15.3a1",
        "3.15.3a2",
        "3.15.4",
        "3.15.5",
        "3.15.6",
        "3.15.7",
        "3.15.8",
        "3.15.9",
        "3.2.0",
        "3.3.0",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4",
        "3.4.0",
        "3.4.0.dev0",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.4.5",
        "3.5.0",
        "3.6.0",
        "3.6.0.dev0",
        "3.6.1",
        "3.6.2",
        "3.6.3",
        "3.6.4",
        "3.6.5",
        "3.6.6",
        "3.7.0",
        "3.7.1",
        "3.8.0",
        "3.9.0",
        "3.9.1",
        "4.0.0",
        "4.1.0",
        "4.2.0",
        "4.2.1",
        "4.2.2",
        "4.2.3",
        "4.2.4",
        "4.3.0",
        "4.3.1",
        "4.4.0",
        "4.4.1",
        "4.4.2",
        "4.4.3",
        "4.4.5",
        "4.5.0",
        "4.6.0",
        "4.6.0a1",
        "5.0.0",
        "5.0.0a1",
        "5.1.0",
        "5.1.0a1",
        "5.1.1",
        "5.1.2",
        "5.1.3",
        "5.1.4",
        "5.2.0",
        "5.2.1",
        "5.2.2",
        "5.3.0",
        "5.3.1",
        "5.3.2",
        "5.3.3",
        "5.4.1",
        "5.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53528",
    "GHSA-2gxp-6r36-m97r"
  ],
  "details": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.",
  "id": "PYSEC-2025-71",
  "modified": "2025-07-23T15:24:03.825615+00:00",
  "published": "2025-07-21T21:15:25+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
    },
    {
      "type": "FIX",
      "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
    }
  ]
}

FKIE_CVE-2025-53528

Vulnerability from fkie_nvd - Published: 2025-07-21 21:15 - Updated: 2025-07-23 15:15

Severity ?

7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728
	security-advisories@github.com	https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."
    },
    {
      "lang": "es",
      "value": "Cadwyn crea un control de versiones de API moderno, similar a Stripe, basado en la comunidad y listo para producci\u00f3n en FastAPI. En las versiones 5.4.3 y anteriores, el par\u00e1metro de versi\u00f3n del endpoint \"/docs\" es vulnerable a un ataque XSS reflejado (Cross-Site Scripting). Este XSS permitir\u00eda a un atacante ejecutar c\u00f3digo JavaScript en la sesi\u00f3n de un usuario para cualquier aplicaci\u00f3n basada en Cadwyn mediante un ataque de un solo clic. La vulnerabilidad se ha corregido en la versi\u00f3n 5.4.4."
    }
  ],
  "id": "CVE-2025-53528",
  "lastModified": "2025-07-23T15:15:33.743",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-21T21:15:25.883",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-2GXP-6R36-M97R

Vulnerability from github – Published: 2025-07-21 14:08 – Updated: 2025-07-23 18:41

Summary

Cadwyn vulnerable to XSS on the docs page

Details

Summary

The version parameter of the /docs endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack.

PoC

Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/
Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27

Impact

Refer to this security advisory for an example of the impact of a similar vulnerability that shares the same root cause.

This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack.

A CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Details

The vulnerable code snippet can be found in the 2 functions swagger_dashboard and redoc_dashboard: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413

The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments.

    async def swagger_dashboard(self, req: Request) -> Response:
        version = req.query_params.get("version")

        if version:
            root_path = self._extract_root_path(req)
            openapi_url = root_path + f"{self.openapi_url}?version={version}"
            oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url
            if oauth2_redirect_url:
                oauth2_redirect_url = root_path + oauth2_redirect_url
            return get_swagger_ui_html(
                openapi_url=openapi_url,
                title=f"{self.title} - Swagger UI",
                oauth2_redirect_url=oauth2_redirect_url,
                init_oauth=self.swagger_ui_init_oauth,
                swagger_ui_parameters=self.swagger_ui_parameters,
            )
        return self._render_docs_dashboard(req, cast("str", self.docs_url))

In this case, the openapi_url variable contains the version which comes from a user supplied query string without encoding or sanitisation. The user controlled injection ends up inside of a string in a <script> tag context: https://github.com/fastapi/fastapi/blob/master/fastapi/openapi/docs.py#L132

    f"""
    ...
    const ui = SwaggerUIBundle({{
        url: '{openapi_url}',
    """

By simply injecting a single quote we can escape from the string context and execute JavaScript like so '+alert(document.domain)+'

The resulting HTML sent back from the server contains the following injection:

  const ui = SwaggerUIBundle({
        url: '/openapi/flows.json?flows='+alert(document.domain)+'',

Severity ?

7.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cadwyn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T14:08:40Z",
    "nvd_published_at": "2025-07-21T21:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack.\n\n### PoC\n1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/\n2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27\n\n### Impact\nRefer to this [security advisory](https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v) for an example of the impact of a similar vulnerability that shares the same root cause.\n\nThis XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on `Cadwyn` via a one-click attack.\n\nA CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\n\n### Details\nThe vulnerable code snippet can be found in the 2 functions `swagger_dashboard` and `redoc_dashboard`: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413\n\nThe implementation uses the [get_swagger_ui_html](https://fastapi.tiangolo.com/reference/openapi/docs/?h=get_swagger_ui_html#fastapi.openapi.docs.get_swagger_ui_html) function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments.\n\n```python\n    async def swagger_dashboard(self, req: Request) -\u003e Response:\n        version = req.query_params.get(\"version\")\n\n        if version:\n            root_path = self._extract_root_path(req)\n            openapi_url = root_path + f\"{self.openapi_url}?version={version}\"\n            oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url\n            if oauth2_redirect_url:\n                oauth2_redirect_url = root_path + oauth2_redirect_url\n            return get_swagger_ui_html(\n                openapi_url=openapi_url,\n                title=f\"{self.title} - Swagger UI\",\n                oauth2_redirect_url=oauth2_redirect_url,\n                init_oauth=self.swagger_ui_init_oauth,\n                swagger_ui_parameters=self.swagger_ui_parameters,\n            )\n        return self._render_docs_dashboard(req, cast(\"str\", self.docs_url))\n```\n\nIn this case, the `openapi_url` variable contains the version which comes from a user supplied query string without encoding or sanitisation. The user controlled injection ends up inside of a string in a `\u003cscript\u003e` tag context: https://github.com/fastapi/fastapi/blob/master/fastapi/openapi/docs.py#L132\n\n```python\n    f\"\"\"\n    ...\n    const ui = SwaggerUIBundle({{\n        url: \u0027{openapi_url}\u0027,\n    \"\"\"\n```\n\nBy simply injecting a single quote we can escape from the string context and execute JavaScript like so `\u0027+alert(document.domain)+\u0027`\n\nThe resulting HTML sent back from the server contains the following injection:\n\n```python\n  const ui = SwaggerUIBundle({\n        url: \u0027/openapi/flows.json?flows=\u0027+alert(document.domain)+\u0027\u0027,\n```",
  "id": "GHSA-2gxp-6r36-m97r",
  "modified": "2025-07-23T18:41:43Z",
  "published": "2025-07-21T14:08:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cadwyn/PYSEC-2025-71.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zmievsa/cadwyn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/blob/5.4.3/CHANGELOG.md#543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cadwyn vulnerable to XSS on the docs page"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-53528 (GCVE-0-2025-53528)

PYSEC-2025-71

FKIE_CVE-2025-53528

GHSA-2GXP-6R36-M97R

Summary

PoC

Impact

Details

Tags

Sightings

Nomenclature