Skip to main content

CVE-2025-54421: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NamelessMC Nameless

High
VulnerabilityCVE-2025-54421cvecve-2025-54421cwe-79cwe-80
Published: Mon Aug 18 2025 (08/18/2025, 16:01:30 UTC)
Source: CVE Database V5
Vendor/Project: NamelessMC
Product: Nameless

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4.

AI-Powered Analysis

AILast updated: 08/18/2025, 16:32:54 UTC

Technical Analysis

CVE-2025-54421 is a high-severity Cross-Site Scripting (XSS) vulnerability affecting NamelessMC, a popular free and open-source website software tailored for Minecraft server communities. The vulnerability exists in versions prior to 2.2.4 and arises due to improper neutralization of input during web page generation, specifically through the 'default_keywords' parameter. This parameter can be manipulated by remote authenticated attackers to inject arbitrary HTML or JavaScript code into web pages served by the application. Because the vulnerability requires authentication but no user interaction, an attacker with valid credentials can exploit it to execute malicious scripts in the context of other users' browsers. The CVSS v3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability. Exploitation could lead to session hijacking, defacement, unauthorized actions on behalf of users, or distribution of malware. The vulnerability is fixed in NamelessMC version 2.2.4. No known exploits are currently reported in the wild, but the presence of this vulnerability in a widely used community platform for Minecraft servers poses a significant risk if left unpatched.

Potential Impact

For European organizations running Minecraft server communities or gaming-related websites using NamelessMC versions prior to 2.2.4, this vulnerability presents a substantial risk. Successful exploitation could compromise user accounts, leading to unauthorized access to community management functions or sensitive user data. Given the popularity of Minecraft across Europe, including educational and commercial servers, attackers could leverage this vulnerability to spread malware, conduct phishing campaigns, or disrupt community operations. The high impact on confidentiality, integrity, and availability means that affected organizations could face reputational damage, loss of user trust, and potential regulatory scrutiny under GDPR if personal data is compromised. Additionally, compromised servers might be used as pivot points for broader network attacks within organizations.

Mitigation Recommendations

Organizations should promptly upgrade NamelessMC installations to version 2.2.4 or later to apply the official patch that addresses this XSS vulnerability. Until the upgrade is performed, administrators should restrict access to the affected 'default_keywords' parameter functionality to the minimum necessary set of trusted users. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting this parameter can provide temporary protection. Additionally, enforcing strict Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user privileges to ensure only necessary users have authentication rights reduces the attack surface. Monitoring logs for unusual activities related to the parameter or user sessions can aid in early detection of exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-21T23:18:10.281Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68a35225ad5a09ad00b084b9

Added to database: 8/18/2025, 4:17:41 PM

Last enriched: 8/18/2025, 4:32:54 PM

Last updated: 8/18/2025, 5:58:47 PM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats