Overview
CVE-2025-66629 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting HedgeDoc, an open-source, real-time collaborative markdown notes application. Specifically, certain OAuth2 endpoints responsible for social login via providers like Google, GitHub, GitLab, Facebook, and Dropbox lacked proper CSRF protection. This flaw existed in versions prior to 1.10.4. By not implementing a “state” parameter and verifying the response using this parameter, the application was susceptible to CSRF attacks. This vulnerability has been patched in version 1.10.4.
Technical Details
The vulnerability arises because HedgeDoc’s OAuth2 implementation for social login endpoints did not include a CSRF protection mechanism. CSRF attacks exploit the trust a website has in a user’s browser. In this case, an attacker could potentially craft a malicious website that, when visited by an authenticated HedgeDoc user, could force the user’s browser to make requests to HedgeDoc’s OAuth2 endpoints on the user’s behalf, potentially linking the user’s HedgeDoc account to an attacker-controlled social media account. The absence of a “state” parameter, a cryptographically random token sent with the authorization request and validated upon receiving the response from the OAuth2 provider, allowed this attack vector.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-66629 is 3.7, indicating a LOW severity. While the vulnerability exists, the impact is limited. The vector details suggest:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H) – Requires some social engineering or specific user interaction.
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R) – Requires a user to click a malicious link or visit a compromised website.
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L) – A malicious actor could potentially link a user’s account to an attacker-controlled social media account.
- Availability Impact (A): None (N)
Possible Impact
Successful exploitation of this CSRF vulnerability could have the following impact:
- An attacker could potentially link a victim’s HedgeDoc account to an attacker-controlled account on a social login provider (e.g., Google, GitHub, GitLab).
- This could potentially allow the attacker to gain unauthorized access to the victim’s HedgeDoc account, depending on the permissions granted to the linked social login account.
- The attacker could then modify or delete the victim’s notes, or create new notes in their name.
Mitigation and Patch Steps
The recommended mitigation is to upgrade HedgeDoc to version 1.10.4 or later. This version includes the necessary CSRF protection measures for the OAuth2 endpoints. Follow these steps:
- Backup your HedgeDoc data: Before upgrading, create a backup of your HedgeDoc data to prevent data loss in case of unforeseen issues.
- Upgrade HedgeDoc: Follow the official HedgeDoc upgrade instructions for your specific installation method. These instructions are available on the HedgeDoc website.
- Verify the upgrade: After the upgrade, verify that the CSRF protection is in place by reviewing the OAuth2 login flow.
