Overview
CVE-2025-64744 describes a low-severity Cross-Site Scripting (XSS) vulnerability found in OpenObserve, a cloud-native observability platform. Specifically, versions up to and including 0.16.1 are affected. The vulnerability arises when an organization is created or renamed using HTML markup within the organization name. This markup is then rendered inside the invitation email sent to new users, potentially leading to malicious code execution within the recipient’s email client, depending on email client capabilities and configuration.
Technical Details
The vulnerability stems from the lack of proper HTML escaping when handling the organization name during the invitation email generation process. User-controlled input (the organization name) is inserted directly into the email template without sanitization. This allows an attacker to inject arbitrary HTML, including JavaScript, into the email.
An attacker could exploit this by creating an organization with a name like <script>alert('XSS')</script>. When a new user is invited to this organization, the email they receive will contain the malicious script, which, if executed by the email client, could allow the attacker to perform actions on behalf of the user or steal sensitive information. The severity is considered low because email clients typically have security mechanisms to prevent script execution, but this protection is not always guaranteed, especially with older or misconfigured clients.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64744 is 3.5 (Low).
This score reflects the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H) – Requires the attacker to create an organization, invite a user, and the user needs to open the invitation email with a vulnerable client.
- Privileges Required (PR): Low (L) – Requires the ability to create or rename an organization.
- User Interaction (UI): Required (R) – Requires the user to open the malicious email.
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L) – Potential for limited modification of data within the email context, depending on the email client and browser configuration.
- Availability Impact (A): None (N)
Possible Impact
While the CVSS score is low, the potential impact should not be completely dismissed. Successful exploitation could lead to:
- Phishing attacks: The injected HTML could be used to create a convincing fake login form within the email.
- Information disclosure: Depending on the email client, the attacker might be able to access limited information about the user or their email environment.
- Redirection to malicious websites: The attacker could use HTML to redirect the user to a malicious website.
The actual impact is highly dependent on the email client’s security settings and the user’s behavior.
Mitigation or Patch Steps
As of the publication date of the advisory (2025-11-13T21:15:54.073), no patched versions of OpenObserve are available.
Recommended mitigation steps include:
- Input Validation: Sanitize and validate organization names to prevent the inclusion of HTML markup. This should be implemented on both the client-side and server-side.
- Output Encoding: Properly HTML-encode organization names before inserting them into the invitation email template.
- Content Security Policy (CSP): Implement a strict CSP for the email content to limit the execution of inline scripts. (This is generally the responsibility of the email provider and recipient email client).
- User Awareness: Educate users about the potential risks of clicking links or interacting with emails from unknown or suspicious sources. Be wary of emails with unexpected formatting or requests.
Monitor the OpenObserve GitHub repository and security advisories for updates and patched versions. Upgrade to the latest version as soon as a fix is released.
References
- CVE ID: CVE-2025-64744
- GitHub Security Advisory: GHSA-3jpx-57gj-w458
- OpenObserve Repository: https://github.com/openobserve/openobserve
