Cyber Resilience

CVE-2025-24885

High

Published: 30 January 2025

Published
30 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0015 34.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24885 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-24885 is a stored cross-site scripting (XSS) vulnerability, associated with CWE-79 and CWE-284, in the dojo component of pwn.college, an educational platform for hands-on cybersecurity learning and practice. The issue arises from missing access control on rendering custom unprivileged dojo pages, enabling users to inject and store malicious scripts that execute in the context of other users viewing those pages. The vulnerability was published on 2025-01-30 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).

Low-privileged users (PR:L), such as registered accounts on pwn.college, can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as victims accessing the affected dojo pages. Exploitation changes scope (S:C) and primarily achieves high confidentiality impact (C:H), potentially allowing attackers to steal sensitive data like session tokens or user information from victims, alongside low integrity impact (I:L) and no availability disruption (A:N).

Mitigation details are available in the GitHub security advisory for the pwn.college dojo repository at https://github.com/pwncollege/dojo/security/advisories/GHSA-8m79-rmhw-rg84.

EU & UK References

Vulnerability details

pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom (unprivileged) dojo pages causes ability for users to create stored XSS.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS enables injection of scripts that execute in victim browsers to steal session tokens (T1539 Steal Web Session Cookie) and hijack sessions (T1185 Browser Session Hijacking).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1009Shared CWE-284, CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2025-67923Shared CWE-79
CVE-2026-27655Shared CWE-79
CVE-2026-30919Shared CWE-79
CVE-2025-23883Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to address the missing access control on rendering custom unprivileged dojo pages, preventing users from injecting stored XSS payloads.

prevent

Validates information inputs from low-privileged users creating custom dojo pages to block malicious scripts associated with CWE-79.

prevent

Filters information output when rendering custom dojo pages to prevent execution of stored XSS payloads in the context of other users.

References