Skip to main content

CVE-2025-53528: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in zmievsa cadwyn

High
VulnerabilityCVE-2025-53528cvecve-2025-53528cwe-79
Published: Mon Jul 21 2025 (07/21/2025, 20:15:17 UTC)
Source: CVE Database V5
Vendor/Project: zmievsa
Product: cadwyn

Description

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

AI-Powered Analysis

AILast updated: 07/29/2025, 01:15:57 UTC

Technical Analysis

CVE-2025-53528 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Cadwyn project by zmievsa, specifically versions prior to 5.4.3. Cadwyn is a modern API versioning framework built on FastAPI, designed to provide Stripe-like API versioning capabilities. The vulnerability resides in the handling of the 'version' parameter on the '/docs' endpoint. Improper neutralization of input allows an attacker to inject malicious JavaScript code that is reflected back to the user without proper sanitization or encoding. This enables a one-click attack scenario where an attacker can execute arbitrary JavaScript in the context of the victim's browser session. The CVSS v3.1 score of 7.6 reflects a high impact, with network attack vector, low attack complexity, no privileges required, but requiring user interaction (clicking a malicious link). The impact primarily affects confidentiality (high), with limited integrity and availability impact. The vulnerability has been fixed in Cadwyn version 5.4.3, but no known exploits are reported in the wild as of the published date. The flaw is classified under CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding during web page generation.

Potential Impact

For European organizations using Cadwyn versions before 5.4.3, this vulnerability poses a significant risk. Successful exploitation could lead to session hijacking, theft of sensitive user data, or unauthorized actions performed on behalf of authenticated users. This is particularly critical for organizations providing APIs or web services that rely on Cadwyn for versioning and documentation endpoints, as attackers could target developers or users accessing the '/docs' endpoint. The confidentiality breach could lead to exposure of sensitive business or personal data, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Additionally, the reflected XSS could be leveraged as a stepping stone for more complex attacks such as phishing or delivering malware payloads. Given the ease of exploitation (no authentication required) and the widespread use of FastAPI-based frameworks in Europe, the threat is relevant to sectors including finance, healthcare, and public services that rely on secure API infrastructures.

Mitigation Recommendations

European organizations should immediately audit their Cadwyn deployments to identify versions prior to 5.4.3. The primary mitigation is to upgrade Cadwyn to version 5.4.3 or later, where the vulnerability has been patched. Until upgrades can be performed, organizations should implement strict input validation and output encoding on the 'version' parameter at the application or web server level to neutralize malicious scripts. Employing Web Application Firewalls (WAFs) with rules targeting reflected XSS patterns on the '/docs' endpoint can provide temporary protection. Additionally, organizations should conduct security awareness training for developers and users to recognize suspicious URLs and avoid clicking untrusted links. Monitoring logs for unusual access patterns to the '/docs' endpoint and implementing Content Security Policy (CSP) headers can further reduce the risk of script execution. Finally, integrating automated security testing for XSS vulnerabilities in the CI/CD pipeline will help prevent regressions.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-02T15:15:11.514Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 687ea38ba83201eaac13dd36

Added to database: 7/21/2025, 8:31:07 PM

Last enriched: 7/29/2025, 1:15:57 AM

Last updated: 8/18/2025, 1:22:23 AM

Views: 27

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats