CVE-2025-31383 identifies a security vulnerability in the sodena FrescoChat Live Chat product, specifically within the flexytalk-widget component. The vulnerability is a Cross-Site Request Forgery (CSRF) that enables Stored Cross-Site Scripting (XSS) attacks. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unauthorized requests to a web application, leveraging the victim's credentials and session. In this case, the CSRF flaw facilitates the injection of malicious scripts that are stored persistently within the chat interface, leading to Stored XSS. Stored XSS is particularly dangerous because the malicious payload is saved on the server and served to multiple users, potentially compromising their browsers, stealing session tokens, or performing actions on their behalf. The affected versions include all releases up to 3.2.6, with no fixed version currently indicated. No public exploits have been reported, but the vulnerability is publicly disclosed and should be considered exploitable. The lack of a CVSS score requires an assessment based on the nature of the vulnerability: the combination of CSRF and Stored XSS can lead to significant confidentiality, integrity, and availability impacts, especially in environments where FrescoChat is used for customer interaction or internal communication. The vulnerability was reserved in late March 2025 and published in early April 2025 by Patchstack. No patches or mitigation links are currently provided, indicating that users must rely on other defensive measures until an official fix is released.

The impact of CVE-2025-31383 is substantial for organizations using FrescoChat Live Chat, particularly those relying on it for customer support or internal communication. Exploitation of this vulnerability can lead to unauthorized actions performed on behalf of authenticated users due to CSRF, combined with persistent malicious script injection via Stored XSS. This can result in session hijacking, credential theft, defacement, or spreading malware to users interacting with the chat widget. The persistent nature of Stored XSS increases the attack surface and duration of exposure, potentially affecting multiple users over time. Confidentiality is at risk as attackers may steal sensitive information; integrity is compromised through unauthorized actions or data manipulation; availability could be affected if attackers disrupt chat services or inject disruptive scripts. The absence of known exploits in the wild reduces immediate risk but does not diminish the potential for targeted attacks, especially against high-value organizations. The scope includes all users interacting with the vulnerable chat widget, which may be extensive depending on deployment scale. Organizations with high customer interaction volumes or sensitive communications are particularly vulnerable.

Until an official patch is released, organizations should implement specific mitigations to reduce risk. First, apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the chat widget context. Second, implement anti-CSRF tokens or verify the Origin and Referer headers on requests to the chat widget to prevent unauthorized cross-site requests. Third, sanitize and validate all user inputs rigorously on the server side to prevent injection of malicious scripts. Fourth, consider temporarily disabling or restricting the FrescoChat Live Chat widget on critical systems or sensitive pages until a fix is available. Fifth, monitor web server and application logs for unusual requests or patterns indicative of CSRF or XSS exploitation attempts. Finally, educate users and administrators about the risks and signs of exploitation. Once a patch is available, prioritize immediate deployment. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting CSRF and XSS attack patterns specific to FrescoChat.