CVE-2025-8349 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting all versions of the Tawk Live Chat product. The flaw arises from improper neutralization of input during web page generation, specifically when users upload PDF files containing embedded JavaScript payloads through the chatbot interface. These PDFs are stored by the application and later rendered or displayed to other users without adequate sanitization or validation, allowing the embedded JavaScript to execute in the context of the victim's browser. This execution can lead to theft of session cookies, enabling session hijacking, or allow attackers to perform unauthorized actions on behalf of the victim user. The vulnerability is remotely exploitable without requiring authentication or privileges, but it requires user interaction, as victims must access the malicious PDF. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or authentication required, but user interaction is necessary. The vulnerability has not yet been observed exploited in the wild, and no official patches have been released. The flaw represents a significant risk for organizations relying on Tawk Live Chat for customer interaction, as it can compromise user confidentiality and integrity of sessions.

For European organizations, this vulnerability poses a risk of sensitive data exposure and session hijacking through exploitation of the live chat interface. Attackers could leverage the vulnerability to steal authentication cookies or tokens, leading to unauthorized access to user accounts or internal systems. This can result in data breaches, reputational damage, and potential regulatory non-compliance under GDPR due to exposure of personal data. The stored nature of the XSS increases risk because malicious payloads persist and can affect multiple users over time. Organizations in sectors with high customer interaction via live chat—such as e-commerce, banking, and public services—are particularly vulnerable. Additionally, the lack of patches and the widespread use of Tawk Live Chat across Europe increase the attack surface. The medium severity score reflects moderate impact and ease of exploitation, but the potential for cascading effects on confidentiality and integrity is significant.

European organizations should immediately audit their use of Tawk Live Chat and restrict or disable file upload functionality if possible until a patch is available. Implement strict input validation and sanitization on all uploaded files, especially PDFs, to prevent embedded scripts from executing. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce XSS impact. Monitor chat logs and uploaded files for suspicious content and remove any malicious files promptly. Educate users to avoid interacting with unexpected or suspicious files received via chat. Consider deploying web application firewalls (WAFs) with rules targeting known XSS payload patterns. Coordinate with Tawk to obtain updates on patch releases and apply them immediately once available. Finally, conduct regular security assessments of third-party integrations to identify and remediate similar risks proactively.