CVE-2025-8349 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting the Tawk Live Chat product. The flaw occurs because the application fails to properly neutralize input when generating web pages, specifically when handling uploaded PDF files containing embedded JavaScript payloads. An attacker can exploit this by uploading a malicious PDF through the chatbot interface, which the system stores and later displays to other users without adequate sanitization. When victims access the chat interface and the malicious PDF is rendered, the embedded JavaScript executes in their browsers. This can lead to session hijacking, data theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires no authentication or privileges to exploit but does require user interaction (viewing the malicious content). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no privileges or authentication, user interaction needed, and limited scope and impact confined to integrity and confidentiality. No patches or known exploits are currently documented, but the vulnerability poses a moderate risk due to the widespread use of Tawk Live Chat in customer support and engagement scenarios.

The primary impact of CVE-2025-8349 is the compromise of user confidentiality and integrity through execution of arbitrary JavaScript in victim browsers. Attackers can steal session cookies, enabling account takeover or impersonation, and perform unauthorized actions on behalf of users, potentially leading to data leakage or manipulation. Since Tawk Live Chat is widely integrated into websites for real-time customer interaction, exploitation could affect a large number of end users and organizations relying on this service for support. The vulnerability could also be leveraged as an initial vector for further attacks, such as phishing or spreading malware. Although the CVSS score is medium, the ease of exploitation (no authentication required) and the potential for sensitive data exposure make this a significant concern for organizations using the affected product. The absence of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks once the vulnerability becomes publicly known.

Organizations should implement strict input validation and sanitization on all uploaded files, especially PDFs, to prevent embedded scripts from executing. Employ server-side scanning and filtering of uploaded content to detect and block malicious payloads. Update or patch the Tawk Live Chat product as soon as vendor fixes become available. In the interim, consider disabling file upload features or restricting uploads to trusted users only. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for unusual upload activity or access patterns indicative of exploitation attempts. Educate users to be cautious when interacting with chat attachments and report suspicious content. Additionally, isolate the chat application environment to minimize potential lateral movement if exploitation occurs.