CVE-2025-30553 identifies a stored cross-site scripting (XSS) vulnerability in the GMO Font Agent software component provided by Z.com byGMO. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the application. When a victim accesses the affected page, the malicious script executes in their browser context, potentially enabling attackers to steal session cookies, perform actions on behalf of the user, or deliver further payloads such as malware. The affected versions include all releases up to and including version 1.6. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability does not require authentication or user interaction to be exploited once the malicious input is stored, increasing its risk profile. The flaw is typical of stored XSS issues where input sanitization or output encoding is insufficient or missing. This vulnerability is particularly concerning for web applications relying on GMO Font Agent for font rendering or related services, as it can compromise user trust and data confidentiality. The absence of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The impact of CVE-2025-30553 is significant for organizations using GMO Font Agent, as stored XSS vulnerabilities can lead to severe consequences including session hijacking, credential theft, unauthorized transactions, and distribution of malware. Attackers can exploit this vulnerability to execute arbitrary JavaScript in the context of users visiting the affected web pages, potentially compromising sensitive data and user accounts. This can result in reputational damage, regulatory penalties, and financial losses. Since the vulnerability does not require authentication, it can be exploited by unauthenticated attackers, increasing the attack surface. The persistence of the injected script means that multiple users can be affected over time, amplifying the scope of impact. Organizations relying on Z.com byGMO services or integrating GMO Font Agent into their web infrastructure are at risk, particularly those with high user traffic or handling sensitive information. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details become widely known.

To mitigate CVE-2025-30553, organizations should first monitor for any official patches or updates from Z.com byGMO and apply them promptly once available. In the absence of a patch, implement strict input validation on all user inputs that interact with GMO Font Agent components, ensuring that potentially malicious characters are sanitized or rejected. Employ robust output encoding techniques to neutralize any data before rendering it in web pages, particularly in HTML, JavaScript, and attribute contexts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. Conduct thorough code reviews and security testing focused on input handling in the affected components. Additionally, monitor web application logs and user activity for signs of suspicious behavior indicative of XSS exploitation attempts. Educate developers and administrators about secure coding practices related to XSS prevention. If feasible, consider isolating or limiting the use of GMO Font Agent until a secure version is released. Finally, implement web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this vulnerability.