Overview
CVE-2025-66458 identifies a cross-site scripting (XSS) vulnerability found in Lookyloo, a web interface for capturing website pages and displaying domain call trees. Versions prior to 1.35.3 are affected. The vulnerability stems from the unsafe use of f-strings in Markup, potentially allowing malicious third-party servers to inject JavaScript code. An update to version 1.35.3 resolves this critical security flaw.
Technical Details
The XSS vulnerability in Lookyloo arises from the application’s handling of data received from external servers. Specifically, the unsafe use of f-strings in the Markup component allows a malicious actor to inject arbitrary JavaScript code into the rendered web page. The attack requires a compromised or malicious third-party server to respond with a JSON document containing JavaScript within a <script> element. When Lookyloo processes this malicious response, the injected script is executed in the user’s browser, potentially leading to data theft, session hijacking, or other malicious activities.
CVSS Analysis
Currently, a CVSS score and severity level have not been assigned to CVE-2025-66458. However, given that it’s an XSS vulnerability, it’s important to treat it seriously. While the exploit requires a malicious third-party server, the potential impact on users is significant. We will update this section as soon as a CVSS score becomes available.
Possible Impact
Successful exploitation of this XSS vulnerability could have several serious consequences:
- Data Theft: An attacker could steal sensitive information, such as cookies, session tokens, and user credentials.
- Session Hijacking: An attacker could hijack a user’s session and gain unauthorized access to their account.
- Malware Distribution: An attacker could inject malicious code that redirects users to phishing sites or installs malware on their systems.
- Defacement: An attacker could alter the appearance of the Lookyloo interface and potentially disrupt functionality.
Mitigation and Patch Steps
The most effective way to mitigate this vulnerability is to upgrade Lookyloo to version 1.35.3 or later. This version contains a fix that prevents the execution of arbitrary JavaScript code from malicious third-party servers.
- Upgrade Lookyloo: The primary mitigation is to update Lookyloo to version 1.35.3 or higher. Follow the official Lookyloo documentation for upgrade instructions.
- Verify the Update: After upgrading, verify that the new version is running correctly.
References
- CVE ID: CVE-2025-66458
- Commit fixing the vulnerability: https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290
- GitHub Security Advisory: https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87
