CVE-2025-23112 is a stored cross-site scripting (XSS) vulnerability identified in Vanderbilt REDCap version 14.9.6, a widely used web-based application for managing online surveys and databases, particularly in academic and healthcare research environments. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the Survey field name. Authenticated users can inject malicious JavaScript code into the Survey field name, which is then stored on the server. When another user receives the survey and clicks on the maliciously crafted field name, the embedded script executes in the context of the victim's browser. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of survey responses. The vulnerability requires authentication but no elevated privileges, and user interaction (clicking the field name) is necessary to trigger the payload. The CVSS v3.1 base score is 6.1, reflecting medium severity, with attack vector as network, low attack complexity, no privileges required, and user interaction required. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, potentially impacting confidentiality and integrity but not availability. No public exploits have been reported yet, and no patches are currently linked, indicating the need for vendor response and user vigilance.

The impact of CVE-2025-23112 on organizations worldwide can be significant, especially those relying on REDCap for sensitive data collection in healthcare, academic research, and clinical trials. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, theft of sensitive survey data, or manipulation of survey results, undermining data integrity and confidentiality. This could result in loss of trust, regulatory non-compliance (e.g., HIPAA, GDPR), and potential legal liabilities. Since REDCap is often used in environments handling personally identifiable information (PII) and protected health information (PHI), the risk is amplified. The requirement for user interaction and authentication limits the attack surface but does not eliminate risk, especially in large organizations with many users. The vulnerability does not affect availability directly but could indirectly disrupt operations if exploited at scale or combined with other attacks.

To mitigate CVE-2025-23112, organizations should implement the following specific measures: 1) Immediately review and sanitize all user inputs related to survey field names to ensure proper encoding and neutralization of HTML and JavaScript content, preventing script injection. 2) Apply any vendor-released patches or updates addressing this vulnerability as soon as they become available. 3) Restrict survey field name editing permissions to trusted users only, minimizing the risk of malicious input. 4) Educate users to be cautious when interacting with survey fields, especially clicking on field names in received surveys. 5) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 6) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7) Conduct regular security assessments and penetration testing focused on input validation and XSS vulnerabilities within REDCap deployments. 8) Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting REDCap.