CVE-2025-23720 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Marco Castelluccio Web Push product, specifically affecting all versions up to 1.4.0. Web Push is a tool used to send push notifications to users via web browsers. The CSRF vulnerability allows an attacker to trick an authenticated user into submitting unauthorized requests to the Web Push application. This unauthorized request can lead to Stored Cross-Site Scripting (XSS), where malicious scripts are injected and stored on the server, subsequently executed in the context of other users' browsers. This combination of CSRF and Stored XSS is particularly dangerous because it enables persistent attacks that can steal session tokens, manipulate user data, or perform actions with the victim's privileges. The vulnerability does not currently have a CVSS score, and no patches or known exploits have been reported. The attack requires user interaction (visiting a malicious site) and an authenticated session, which limits but does not eliminate the risk. The absence of patches means organizations must rely on mitigation strategies until an official fix is available.

The impact of CVE-2025-23720 is significant for organizations using the Marco Castelluccio Web Push product. Successful exploitation can lead to unauthorized actions performed with the privileges of authenticated users, potentially resulting in data theft, session hijacking, or unauthorized configuration changes. Stored XSS can facilitate widespread compromise by executing malicious scripts in multiple users' browsers, leading to credential theft, malware distribution, or further network infiltration. The vulnerability undermines the confidentiality and integrity of user data and can disrupt availability if exploited to perform denial-of-service actions indirectly. Organizations relying on Web Push for critical notifications or user engagement risk reputational damage and operational disruption. The requirement for user interaction and authentication reduces the attack surface but does not negate the threat, especially in environments with high user activity or where users have elevated privileges.

To mitigate CVE-2025-23720, organizations should implement several specific measures: 1) Immediately review and restrict the use of Web Push notifications to trusted users and environments. 2) Employ anti-CSRF tokens in all state-changing requests within the Web Push application to prevent unauthorized request forgery. 3) Implement Content Security Policy (CSP) headers to limit the execution of injected scripts and reduce the impact of Stored XSS. 4) Sanitize and validate all user inputs rigorously to prevent script injection and storage. 5) Monitor web application logs for unusual or unauthorized requests indicative of CSRF or XSS attempts. 6) Educate users about the risks of clicking unknown links or visiting untrusted websites while authenticated. 7) Follow the vendor’s updates closely and apply patches promptly once available. 8) Consider isolating the Web Push service or using web application firewalls (WAFs) with rules targeting CSRF and XSS attack patterns. These targeted actions go beyond generic advice and address the specific nature of this vulnerability.