CVE-2025-24638 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the 'Create with Code' software developed by pddring, affecting all versions up to and including 1.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious scripts that execute in the victim's browser context. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, where the web application’s client-side scripts process untrusted data insecurely, leading to script injection. This flaw can be exploited by tricking users into visiting a specially crafted URL or interacting with manipulated page elements, resulting in execution of arbitrary JavaScript code. Potential consequences include theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of the user. The vulnerability affects the Create with Code product, which is a web development tool or framework, though specific market penetration data is limited. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The absence of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

The impact of this DOM-based XSS vulnerability can be significant for organizations using the Create with Code product. Successful exploitation can compromise user confidentiality by stealing session tokens or sensitive data accessible via the browser. It can also affect integrity by enabling attackers to perform unauthorized actions or manipulate displayed content, and availability if malicious scripts disrupt normal application behavior. Since exploitation requires only that a user visit a maliciously crafted page or link, the attack surface is broad and can be leveraged in phishing campaigns or drive-by attacks. Organizations with web applications built on this product risk reputational damage, regulatory penalties if user data is compromised, and potential financial losses. The lack of known exploits currently reduces immediate risk, but the vulnerability’s presence in a development tool means many downstream applications could be affected, amplifying potential impact globally.

To mitigate this vulnerability, organizations should first monitor for official patches or updates from pddring and apply them promptly once available. In the interim, developers should review and sanitize all client-side input processing code to ensure proper input validation and output encoding, particularly when manipulating the DOM with user-supplied data. Implementing a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts and reduce the risk of exploitation. Security teams should conduct thorough code audits and penetration testing focusing on client-side script handling. Additionally, educating users about phishing risks and suspicious links can reduce the likelihood of successful exploitation. Employing web application firewalls (WAFs) with rules targeting XSS patterns may provide temporary protection. Finally, organizations should inventory all applications built with Create with Code to assess exposure and prioritize remediation efforts.