Cyber Resilience

CVE-2025-25062

MediumPublic PoC

Published: 03 February 2025

Published
03 February 2025
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 4.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.3686 97.3th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25062 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Backdropcms Backdrop Cms. Its CVSS base score is 4.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-25062 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Backdrop CMS versions 1.28.x prior to 1.28.5 and 1.29.x prior to 1.29.3. The issue arises in the CKEditor 5 rich text editor module, where long text content is not sufficiently isolated, allowing attackers to inject specialized HTML and JavaScript. It has a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity with network accessibility but high attack complexity, low privileges required, user interaction needed, and changed scope for limited confidentiality and integrity impacts.

An authenticated attacker with low privileges, such as the ability to create long text content via node or comment forms, can exploit this by embedding malicious payloads. The payload executes only when an administrator edits—rather than merely views—the affected content, potentially leading to theft of admin session data or manipulation of the admin's browser context. Exploitation requires the CKEditor 5 module to be enabled and relies on the admin's interaction.

The official Backdrop CMS security advisory (backdrop-sa-core-2025-001) recommends upgrading to Backdrop CMS 1.28.5 or 1.29.3 to mitigate the vulnerability. Additional details on the issue, including proof-of-concept exploitation, are available in third-party analyses such as those on Medium and GetAstra.

EU & UK References

Vulnerability details

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML…

more

and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in web app enables exploitation of public-facing application (T1190) to inject JS that runs in admin browser, directly facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25248Shared CWE-79
CVE-2025-68008Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2024-55227Shared CWE-79
CVE-2026-2072Shared CWE-79
CVE-2026-32728Shared CWE-79
CVE-2025-25169Shared CWE-79
CVE-2025-68887Shared CWE-79
CVE-2026-21290Shared CWE-79
CVE-2024-41746Shared CWE-79

Affected Assets

backdropcms
backdrop cms
1.28.0 — 1.28.5 · 1.29.0 — 1.29.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of long text content inputs from node or comment forms, directly preventing injection of malicious HTML and JavaScript into CKEditor 5.

prevent

Filters output of stored content when loaded into the CKEditor 5 editor for administrative editing, blocking execution of injected scripts.

prevent

Requires timely patching of the CKEditor 5 flaw as recommended in the Backdrop CMS security advisory, eliminating the vulnerability root cause.

References