CVE-2025-0667 is a high-severity vulnerability classified under CWE-79, indicating an improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the BOINC Server software, specifically versions up to and including 1.4.7. The flaw allows an attacker to inject malicious scripts that are stored on the server and subsequently executed in the browsers of users who access the affected web pages. The vulnerability is characterized as a Stored XSS, which is more dangerous than reflected XSS because the malicious payload persists on the server and can affect multiple users over time. According to the CVSS 4.0 vector, the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user authentication (AT:N), but does require user interaction (UI:P), such as visiting a maliciously crafted page or link. The impact on confidentiality and integrity is high (VC:H, VI:H), while availability impact is low (VA:L). The scope is limited (SC:L), and the impact on system integrity and confidentiality is significant but does not extend beyond the vulnerable component (SI:L, SA:N). No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved in January 2025 and published in May 2025 by NCSC.ch and enriched by CISA, indicating credible and authoritative reporting. The BOINC Server is an open-source platform used primarily for volunteer computing projects, which coordinate distributed computing tasks across many participants. The vulnerability arises from insufficient input sanitization during web page generation, allowing attackers to embed malicious JavaScript code that executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the BOINC web interface.

For European organizations, the impact of CVE-2025-0667 could be significant, especially for research institutions, universities, and scientific projects that rely on BOINC Server for distributed computing. Exploitation of this vulnerability could lead to unauthorized access to sensitive project data, manipulation of computational results, or compromise of user accounts. Since BOINC is used in collaborative scientific environments, a successful attack could undermine trust in research data integrity and confidentiality. Additionally, the Stored XSS could be leveraged to launch further attacks such as phishing or malware distribution within the user base. The high confidentiality and integrity impact means that sensitive information and system operations could be compromised. Although availability impact is low, the reputational damage and potential regulatory implications under GDPR for data breaches involving personal data could be substantial. The requirement for user interaction means that social engineering or user awareness campaigns could mitigate risk, but also highlights the need for secure coding and input validation practices.

To mitigate CVE-2025-0667, European organizations using BOINC Server should immediately audit their deployment for the affected versions (up to 1.4.7) and plan for an upgrade once a patch is released. In the interim, organizations should implement strict input validation and output encoding on all user-supplied data rendered in web pages to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly review and sanitize stored data inputs, especially those that appear in web interfaces. User education on the risks of clicking untrusted links and recognizing phishing attempts can reduce the likelihood of exploitation. Network-level protections such as Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide additional defense. Monitoring web server logs for unusual input patterns or repeated suspicious requests can help identify attempted exploitation. Finally, organizations should subscribe to BOINC security advisories and coordinate with the vendor for timely patch application once available.