CVE-2025-58115 is a cross-site scripting (XSS) vulnerability identified in the Guest User Sign-up feature of ChatLuck, a collaboration/chat software developed by NEOJAPAN Inc. The affected versions range from V3.6 R1.0 to V6.6 R1.0. This vulnerability allows an attacker to inject malicious JavaScript code into the application interface, which executes in the context of the victim's browser when they access the affected page. The vulnerability is classified as reflected or stored XSS depending on how the input is handled, but the details specify arbitrary script execution on user browsers, indicating potential stored XSS. The CVSS v3.0 score is 6.1 (medium), with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L), but no impact on availability (A:N). The scope change indicates that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other parts of the system or user sessions. Exploitation requires the victim to interact with maliciously crafted content, such as clicking a link or submitting a form. The vulnerability can be leveraged to steal session cookies, perform actions on behalf of the user, or deliver further malware payloads. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability was reserved on 2025-09-02 and published on 2025-10-16 by JPCERT, indicating a recent discovery and disclosure.

For European organizations, the impact of this XSS vulnerability in ChatLuck can be significant, especially for those relying on this tool for internal and external communications. Successful exploitation could lead to unauthorized disclosure of sensitive information such as session tokens, user credentials, or confidential messages, undermining confidentiality. Integrity may be compromised by attackers injecting malicious scripts that alter displayed content or perform unauthorized actions on behalf of users. Although availability is not directly affected, the trustworthiness of the communication platform could be damaged, potentially disrupting collaboration workflows. Given that ChatLuck is a collaboration tool, attackers could use this vulnerability to conduct phishing campaigns within organizations or pivot to further attacks. The requirement for user interaction means social engineering could be employed to increase success rates. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. Organizations in sectors with high collaboration needs, such as finance, government, and technology, are particularly at risk.

To mitigate CVE-2025-58115, organizations should first verify if they use affected versions of ChatLuck (V3.6 R1.0 to V6.6 R1.0) and plan for immediate upgrades once patches are released by NEOJAPAN Inc. In the absence of official patches, implement strict input validation and sanitization on all user-supplied data in the Guest User Sign-up feature to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing ChatLuck. Enable HTTP-only and secure flags on cookies to reduce the risk of session hijacking. Conduct user awareness training focusing on recognizing suspicious links or inputs, especially for guest users who might be targeted. Monitor application logs for unusual input patterns or error messages indicative of attempted XSS exploitation. If possible, isolate the Guest User Sign-up functionality behind additional verification or CAPTCHA to reduce automated attacks. Engage with NEOJAPAN Inc. for timely updates and security advisories. Finally, consider deploying web application firewalls (WAF) with rules tailored to detect and block XSS payloads targeting ChatLuck.