CVE-2025-68467 (GCVE-0-2025-68467)

Vulnerability from cvelistv5 – Published: 2026-03-04 21:53 – Updated: 2026-03-10 17:41
VLAI
Title
Dark Reader gives users the ability to request style sheets from local web servers
Summary
Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page's Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page's Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension.
Severity
3.4 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-346 - Origin Validation Error
  • CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
Impacted products
Vendor Product Version
darkreader darkreader Affected: < 4.9.117
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68467",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T17:41:41.318931Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T17:41:48.469Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "darkreader",
          "vendor": "darkreader",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.9.117"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page\u0027s Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page\u0027s Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T21:53:02.509Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj"
        }
      ],
      "source": {
        "advisory": "GHSA-x369-mcw8-8rvj",
        "discovery": "UNKNOWN"
      },
      "title": "Dark Reader gives users the ability to request style sheets from local web servers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68467",
    "datePublished": "2026-03-04T21:53:02.509Z",
    "dateReserved": "2025-12-18T13:48:59.555Z",
    "dateUpdated": "2026-03-10T17:41:48.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-68467",
      "date": "2026-05-31",
      "epss": "0.0002",
      "percentile": "0.05822"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68467\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-04T22:16:11.860\",\"lastModified\":\"2026-03-18T15:13:35.600\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page\u0027s Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page\u0027s Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension.\"},{\"lang\":\"es\",\"value\":\"Dark Reader es una extensi\u00f3n de navegador de accesibilidad que oscurece los colores de las p\u00e1ginas web. La caracter\u00edstica de modo oscuro din\u00e1mico de la extensi\u00f3n funciona analizando los colores de las p\u00e1ginas web que se encuentran en los archivos de hojas de estilo CSS. Para analizar hojas de estilo de origen cruzado (almacenadas en sitios web diferentes de la p\u00e1gina web original), Dark Reader solicita dichos archivos a trav\u00e9s de un trabajador en segundo plano, asegurando que la solicitud se realice sin credenciales y que el tipo de contenido de la respuesta sea un archivo CSS. Antes de Dark Reader 4.9.117, este contenido de estilo se asignaba a un Elemento de Estilo HTML para analizar y recorrer las declaraciones de estilo, y tambi\u00e9n se almacenaba en el Almacenamiento de Sesi\u00f3n de la p\u00e1gina para obtener mejoras de rendimiento. Esto podr\u00eda permitir a un autor de un sitio web solicitar una hoja de estilo de un servidor web ejecut\u00e1ndose localmente, por ejemplo, teniendo un enlace que apunte a \u0027http[:]//localhost[:]8080/style[.]css\u0027. La fuerza bruta del nombre de host, puerto y nombre de archivo ser\u00eda poco probable debido al impacto en el rendimiento, lo que har\u00eda que la pesta\u00f1a del navegador se congele brevemente, pero podr\u00eda ser posible solicitar una hoja de estilo si la URL completa se conociera de antemano. A partir del 18 de diciembre de 2025, no se conoce ning\u00fan exploit del problema. El problema ha sido solucionado en la versi\u00f3n 4.9.117 el 3 de diciembre de 2025. Las hojas de estilo ahora se analizan utilizando la API moderna de Hojas de Estilo Construidas y el contenido de las hojas de estilo de origen cruzado ya no se almacena en el Almacenamiento de Sesi\u00f3n de la p\u00e1gina. La versi\u00f3n 4.9.118 (8 de diciembre de 2025) restringe las solicitudes de origen cruzado a alias de localhost, direcciones IP, hosts con puertos y recursos no HTTPS. La mayor\u00eda absoluta de los usuarios ha recibido una actualizaci\u00f3n 4.1.117 o 4.9.118 autom\u00e1ticamente en una semana. Sin embargo, los usuarios deben asegurarse de que sus actualizaciones autom\u00e1ticas no est\u00e9n bloqueadas y de que est\u00e1n utilizando la \u00faltima versi\u00f3n de la extensi\u00f3n yendo a las p\u00e1ginas chrome://extensions o about:addons en la configuraci\u00f3n del navegador. Los usuarios que utilizan compilaciones manuales deben actualizarse a la versi\u00f3n 4.9.118 y superiores. Los desarrolladores que utilizan el paquete NPM \u0027darkreader\u0027 para sus propios sitios web probablemente no se vean afectados, pero deben asegurarse de que la funci\u00f3n pasada a \u0027setFetchMethod()\u0027 para realizar solicitudes de origen cruzado funcione dentro del alcance previsto. Los desarrolladores que utilizan bifurcaciones personalizadas de versiones anteriores de Dark Reader para construir otras extensiones o integrarlas en sus aplicaciones o navegadores deben asegurarse de que realizan solicitudes de origen cruzado de forma segura y de que las respuestas no son accesibles fuera de la aplicaci\u00f3n o extensi\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-346\"},{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:darkreader:darkreader:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.9.117\",\"matchCriteriaId\":\"1C37C5A2-0080-4284-BF9F-CDA03B483B0B\"}]}]}],\"references\":[{\"url\":\"https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68467\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T17:41:41.318931Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T17:41:44.808Z\"}}], \"cna\": {\"title\": \"Dark Reader gives users the ability to request style sheets from local web servers\", \"source\": {\"advisory\": \"GHSA-x369-mcw8-8rvj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"darkreader\", \"product\": \"darkreader\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.9.117\"}]}], \"references\": [{\"url\": \"https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj\", \"name\": \"https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page\u0027s Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page\u0027s Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-668\", \"description\": \"CWE-668: Exposure of Resource to Wrong Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-04T21:53:02.509Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68467\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T17:41:48.469Z\", \"dateReserved\": \"2025-12-18T13:48:59.555Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-04T21:53:02.509Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.