CVE-2025-22771 identifies a stored cross-site scripting (XSS) vulnerability in Studio Hyperset's product 'The Great Firewords of China,' specifically within the sensitive-chinese-words-scanner feature. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious scripts that are persistently stored on the server. When other users access affected pages, these scripts execute in their browsers under the context of the vulnerable application. This can lead to a range of attacks including theft of authentication tokens, session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The affected versions include all releases up to and including version 1.2, with no patches currently available. While no known exploits have been reported in the wild, the nature of stored XSS makes it a significant threat, especially in environments where users have elevated privileges or sensitive data is handled. The vulnerability does not require authentication or complex user interaction beyond visiting a maliciously crafted page. The lack of CVSS scoring necessitates an independent severity assessment based on the potential impact and exploitability.

The stored XSS vulnerability in 'The Great Firewords of China' can have severe consequences for organizations using this software. Attackers can leverage this flaw to execute arbitrary JavaScript in the context of users' browsers, potentially stealing session cookies, credentials, or other sensitive information. This can lead to unauthorized access to user accounts, data breaches, and further compromise of internal systems. Additionally, attackers might perform actions on behalf of users, such as changing settings or injecting further malicious content. The persistent nature of stored XSS increases the risk as the malicious payload remains active until removed. Organizations relying on this product for Chinese language processing or sensitive word scanning may face reputational damage, regulatory penalties, and operational disruption if exploited. The absence of patches and known exploits suggests a window of exposure that must be addressed proactively.

To mitigate CVE-2025-22771, organizations should implement strict input validation and output encoding on all user-supplied data within 'The Great Firewords of China,' especially in the sensitive-chinese-words-scanner component. Employ context-aware encoding (e.g., HTML entity encoding) to neutralize potentially malicious scripts before rendering. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize stored content to detect and remove any injected malicious code. Monitor application logs and user reports for suspicious activity indicative of XSS exploitation. Until an official patch is released, consider isolating or restricting access to the vulnerable application, especially for high-privilege users. Engage with the vendor for timely updates and apply patches immediately upon availability. Additionally, educate users about the risks of clicking unknown links and maintain robust endpoint security to detect exploitation attempts.