CVE-2025-25062
Published: 03 February 2025
Summary
CVE-2025-25062 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Backdropcms Backdrop Cms. Its CVSS base score is 4.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of long text content inputs from node or comment forms, directly preventing injection of malicious HTML and JavaScript into CKEditor 5.
Filters output of stored content when loaded into the CKEditor 5 editor for administrative editing, blocking execution of injected scripts.
Requires timely patching of the CKEditor 5 flaw as recommended in the Backdrop CMS security advisory, eliminating the vulnerability root cause.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in web app enables exploitation of public-facing application (T1190) to inject JS that runs in admin browser, directly facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) as described.
NVD Description
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML…
more
and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.
Deeper analysisAI
CVE-2025-25062 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Backdrop CMS versions 1.28.x prior to 1.28.5 and 1.29.x prior to 1.29.3. The issue arises in the CKEditor 5 rich text editor module, where long text content is not sufficiently isolated, allowing attackers to inject specialized HTML and JavaScript. It has a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity with network accessibility but high attack complexity, low privileges required, user interaction needed, and changed scope for limited confidentiality and integrity impacts.
An authenticated attacker with low privileges, such as the ability to create long text content via node or comment forms, can exploit this by embedding malicious payloads. The payload executes only when an administrator edits—rather than merely views—the affected content, potentially leading to theft of admin session data or manipulation of the admin's browser context. Exploitation requires the CKEditor 5 module to be enabled and relies on the admin's interaction.
The official Backdrop CMS security advisory (backdrop-sa-core-2025-001) recommends upgrading to Backdrop CMS 1.28.5 or 1.29.3 to mitigate the vulnerability. Additional details on the issue, including proof-of-concept exploitation, are available in third-party analyses such as those on Medium and GetAstra.
Details
- CWE(s)