CVE-2025-8349 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting all versions of the Tawk Live Chat product. The vulnerability arises due to improper neutralization of input during web page generation, specifically when the application accepts PDF files uploaded through the chatbot interface. Attackers can embed malicious JavaScript code within a PDF file, which is then stored by the application and rendered without adequate sanitization when accessed by other users. This stored XSS flaw allows the execution of arbitrary JavaScript in the context of the victim's browser session. The attack vector requires no authentication and no privileges, but does require user interaction to trigger the malicious payload. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low scope impact. The vulnerability can be exploited to steal session cookies, enabling session hijacking, or to perform unauthorized actions on behalf of the victim, potentially compromising confidentiality and integrity of user data. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of Tawk Live Chat in customer-facing web applications. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

For European organizations, the exploitation of CVE-2025-8349 could lead to unauthorized access to user accounts and sensitive data leakage, particularly in sectors such as e-commerce, finance, healthcare, and public services where Tawk Live Chat is deployed. The ability to execute arbitrary JavaScript in users' browsers can facilitate session hijacking, credential theft, and unauthorized transactions, undermining user trust and potentially violating GDPR data protection requirements. The medium severity rating reflects a moderate but tangible risk, especially given the ease of exploitation without authentication. Organizations may face reputational damage, regulatory penalties, and operational disruptions if the vulnerability is exploited. The impact is amplified in environments where chat interactions involve sensitive or personally identifiable information. Additionally, attackers could use the vulnerability as a foothold for further attacks within the victim’s network or to distribute malware.

European organizations should implement the following specific mitigations: 1) Immediately restrict or disable file uploads through the Tawk Live Chat interface until a patch is available. 2) Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads embedded in PDFs or other uploaded files. 3) Sanitize and validate all user-generated content rigorously, especially files uploaded via chat interfaces, using server-side controls. 4) Monitor chat logs and file uploads for suspicious activity indicative of exploitation attempts. 5) Educate users and administrators about the risks of interacting with unexpected or suspicious chat content. 6) Engage with Tawk support or vendors to obtain patches or updates addressing this vulnerability as soon as they are released. 7) Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 8) Conduct regular security assessments and penetration tests focusing on chat and file upload functionalities. These steps go beyond generic advice by focusing on immediate containment, proactive detection, and layered defense tailored to the nature of this vulnerability.