CVE-2025-23110 is a reflected cross-site scripting (XSS) vulnerability identified in Vanderbilt REDCap version 14.9.6, a widely used research data capture platform. The vulnerability arises from improper neutralization of input (CWE-79) in the email-subject field during the upload of CSV files containing alert configurations. Specifically, an attacker can embed malicious JavaScript code within the email-subject field in a crafted CSV file. When a victim uploads this file, REDCap automatically navigates to a page displaying the uploaded data. If the victim clicks on the email-subject value, the embedded script executes in the victim’s browser context. This reflected XSS requires user interaction (clicking the malicious field) but no authentication or elevated privileges. The vulnerability can be exploited remotely by tricking users into uploading malicious CSV files, potentially leading to session hijacking, credential theft, or unauthorized actions within the victim’s session. The CVSS v3.1 base score is 6.1, reflecting medium severity due to the need for user interaction and limited scope of impact. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. This vulnerability highlights the importance of proper input validation and output encoding in web applications handling user-supplied data, especially in sensitive research environments.

The primary impact of this vulnerability is on confidentiality and integrity within affected REDCap instances. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser session, potentially leading to theft of session cookies, credentials, or other sensitive information accessible via the browser. Attackers may also perform unauthorized actions on behalf of the victim, such as modifying data or triggering unintended workflows. Although availability is not directly impacted, the compromise of user sessions can disrupt research activities and data integrity. Given REDCap’s widespread use in academic, clinical, and research institutions globally, exploitation could lead to exposure of sensitive research data or personally identifiable information (PII). The requirement for user interaction (clicking the malicious email-subject) reduces the likelihood of automated mass exploitation but does not eliminate targeted attacks. Organizations relying on REDCap 14.9.6 should consider this vulnerability a significant risk to data confidentiality and user trust.

To mitigate CVE-2025-23110, organizations should implement the following specific measures: 1) Upgrade REDCap to a version where this vulnerability is patched once available from Vanderbilt. 2) Until a patch is released, restrict CSV file uploads to trusted users only and implement strict validation and sanitization of CSV content, especially the email-subject field, to remove or neutralize potentially malicious scripts. 3) Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS payloads. 4) Educate users about the risks of uploading untrusted CSV files and clicking suspicious links or fields within REDCap interfaces. 5) Monitor application logs for unusual upload activities or error messages related to CSV processing. 6) Consider deploying web application firewalls (WAF) with custom rules to detect and block XSS payloads in file uploads. 7) Conduct regular security assessments and code reviews focusing on input validation and output encoding in REDCap customizations. These targeted mitigations go beyond generic advice by focusing on the specific vector and context of this vulnerability.