CVE-2025-5301 is a reflected cross-site scripting (XSS) vulnerability affecting ONLYOFFICE Docs (DocumentServer) versions 8.3.1 and earlier. The vulnerability arises due to improper neutralization of input during web page generation, specifically when files are opened via the Web Application Open Platform Interface (WOPI) protocol. An attacker can craft malicious HTTP POST requests containing specially designed payloads that are reflected unsanitized in the HTML response generated by the server. This reflection enables the execution of arbitrary JavaScript code in the context of the victim's browser session. Since the vulnerability is reflected, it requires the victim to interact with a malicious link or file that triggers the crafted request. Exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user within the ONLYOFFICE environment. The vulnerability does not require authentication to exploit, increasing its risk profile. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a widely used document collaboration platform poses a significant risk, especially in environments where ONLYOFFICE Docs is exposed to untrusted networks or users. The lack of a patch at the time of publication further elevates the urgency for mitigation.

For European organizations, the impact of CVE-2025-5301 could be substantial, particularly for those relying on ONLYOFFICE Docs for document collaboration and editing. Successful exploitation could compromise user sessions, leading to unauthorized access to sensitive documents and internal communications. This could result in data leakage, intellectual property theft, and disruption of business processes. Additionally, attackers could leverage the XSS vulnerability to deploy further attacks such as phishing or malware delivery within the corporate network. Given the collaborative nature of ONLYOFFICE, the vulnerability could facilitate lateral movement inside an organization’s IT infrastructure. Sectors such as finance, government, healthcare, and critical infrastructure, which often handle sensitive data and rely on document collaboration tools, are at heightened risk. The vulnerability also poses reputational risks and potential regulatory compliance issues under GDPR if personal data is exposed or mishandled due to exploitation.

1. Immediate mitigation should include restricting access to ONLYOFFICE Docs servers to trusted internal networks or VPNs to reduce exposure to untrusted users. 2. Implement Web Application Firewall (WAF) rules specifically targeting suspicious POST requests to the WOPI endpoint, filtering out payloads containing script tags or suspicious characters. 3. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 4. Conduct thorough input validation and output encoding on all user-supplied data, especially data processed via the WOPI protocol, to prevent script injection. 5. Monitor server logs for unusual POST requests or repeated access attempts to the WOPI interface. 6. Educate users about the risks of clicking on untrusted links or opening files from unknown sources within ONLYOFFICE. 7. Stay alert for official patches or updates from OnlyOffice and prioritize their deployment once available. 8. Consider isolating ONLYOFFICE Docs instances in segmented network zones to limit potential lateral movement in case of compromise.