Overview
CVE-2025-66459 identifies a Cross-Site Scripting (XSS) vulnerability found in Lookyloo, a web interface used for capturing website pages and displaying a tree of domain calls. This vulnerability affects versions prior to 1.35.3. Specifically, the XSS is triggered when a user submits a list of URLs for capture, and one of those URLs contains a malicious HTML element that causes the capture to fail. The error message, intended to inform the user about the failed capture, then inadvertently reflects the malicious URL, executing the embedded script within the user’s browser.
Technical Details
The vulnerability lies in how Lookyloo handles error messages related to failed URL captures. When a URL submitted for capture contains HTML elements (particularly those containing Javascript), the Lookyloo capture process may fail. The error message generated then includes the malformed URL, including the embedded HTML. Because the application does not properly sanitize or escape this URL before displaying it in the error field, a malicious script can be injected and executed when the page is rendered. This allows an attacker to execute arbitrary JavaScript code in the context of the user’s browser.
For example, submitting a URL like <img src=x onerror=alert('XSS')> as part of the capture list will trigger the vulnerability if the capture fails and the error message containing this URL is displayed.
CVSS Analysis
Due to the lack of CVSS score assigned, the severity is currently marked as N/A. A thorough risk assessment should be performed within your specific environment to determine the actual risk. The actual CVSS score may depend on specific attack vectors, scope, and impact within a particular infrastructure. Without a valid CVSS score, it’s hard to assess the severity. However, XSS vulnerabilities are generally considered high-risk as they can lead to account compromise, data theft, and other malicious activities.
Possible Impact
The impact of this XSS vulnerability can be significant. An attacker could potentially:
- Steal sensitive information, such as session cookies or user credentials.
- Deface the Lookyloo interface.
- Redirect users to malicious websites.
- Perform actions on behalf of the user without their knowledge or consent.
Mitigation or Patch Steps
The recommended mitigation is to upgrade Lookyloo to version 1.35.3 or later. This version contains a fix that properly sanitizes or escapes the error messages, preventing the XSS vulnerability. Here are the general steps:
- **Backup your Lookyloo instance:** Before upgrading, ensure you have a complete backup of your Lookyloo installation and data.
- **Upgrade to version 1.35.3 or later:** Follow the official Lookyloo upgrade instructions to update your instance. This usually involves using `pip` or `docker`.
- **Verify the fix:** After upgrading, test the system by attempting to submit URLs containing potentially malicious HTML elements. Ensure that the error messages are properly sanitized.
