CVE-2025-53941 (GCVE-0-2025-53941)
Vulnerability from cvelistv5 – Published: 2025-07-17 14:01 – Updated: 2025-07-17 14:21
VLAI?
Title
Hollo renders posts received with form elements and allows submission
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| fedify-dev | hollo |
Affected:
< 0.6.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53941",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:19:28.629628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:36.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hollo",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:01:34.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
},
{
"name": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5"
}
],
"source": {
"advisory": "GHSA-w7gc-g3x7-hq8h",
"discovery": "UNKNOWN"
},
"title": "Hollo renders posts received with form elements and allows submission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53941",
"datePublished": "2025-07-17T14:01:34.436Z",
"dateReserved": "2025-07-14T17:23:35.262Z",
"dateUpdated": "2025-07-17T14:21:36.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53941\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-17T14:15:32.737\",\"lastModified\":\"2025-07-17T21:15:50.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Hollo es un software de microblogging federado para un solo usuario, dise\u00f1ado para federarse a trav\u00e9s de ActivityPub. Las versiones anteriores a la 0.6.5 permiten el env\u00edo de elementos de formulario HTML, lo que hace que el software sea vulnerable a la inyecci\u00f3n de HTML. La versi\u00f3n 0.6.5 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/hollo/releases/tag/0.6.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53941\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-17T14:19:28.629628Z\"}}}], \"references\": [{\"url\": \"https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-17T14:19:36.467Z\"}}], \"cna\": {\"title\": \"Hollo renders posts received with form elements and allows submission\", \"source\": {\"advisory\": \"GHSA-w7gc-g3x7-hq8h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"fedify-dev\", \"product\": \"hollo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.6.5\"}]}], \"references\": [{\"url\": \"https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\", \"name\": \"https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410\", \"name\": \"https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/fedify-dev/hollo/releases/tag/0.6.5\", \"name\": \"https://github.com/fedify-dev/hollo/releases/tag/0.6.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-17T14:01:34.436Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53941\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-17T14:21:36.942Z\", \"dateReserved\": \"2025-07-14T17:23:35.262Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-17T14:01:34.436Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…