GHSA-X369-MCW8-8RVJ

Vulnerability from github – Published: 2026-03-04 18:18 – Updated: 2026-03-05 15:26
VLAI
Summary
Dark Reader gives users the ability to request style sheets from local web servers
Details

Description

Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.

Patches

The problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.

The installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, chrome://extensions or about:addons pages.

Users are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.

NPM package

The issue does not affect developers using the darkreader NPM package for website integration. Developers using the setFetchMethod() API must ensure the cross-origin requests are restricted to the intended scope.

Custom forks

Developers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.

Acknowledgements

Security research performed by Brian Carpenter - Deep Fork Cyber.

Severity
3.4 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "darkreader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.117"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-346",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T18:18:23Z",
    "nvd_published_at": "2026-03-04T22:16:11Z",
    "severity": "LOW"
  },
  "details": "### Description\nDark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example `http://localhost:8080/style.css`, If an address was available and returned a `text/css` content type.\n\n### Patches\nThe problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.\n\nThe installed extension version number can be verified in Dark Reader\u0027s menu (More \u003e All settings \u003e About), browser settings, `chrome://extensions` or `about:addons` pages.\n\nUsers are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.\n\n### NPM package\n\nThe issue does not affect developers using the `darkreader` NPM package for website integration. Developers using the `setFetchMethod()` API must ensure the cross-origin requests are restricted to the intended scope.\n\n### Custom forks\n\nDevelopers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.\n\n### Acknowledgements\nSecurity research performed by [Brian Carpenter](https://x.com/geeknik) - [Deep Fork Cyber](https://deepforkcyber.com/).",
  "id": "GHSA-x369-mcw8-8rvj",
  "modified": "2026-03-05T15:26:18Z",
  "published": "2026-03-04T18:18:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68467"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/darkreader/darkreader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dark Reader gives users the ability to request style sheets from local web servers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.