CVE-2025-25296
Published: 14 February 2025
Summary
CVE-2025-25296 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Humansignal Label Studio. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-25296 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Label Studio, an open source data labeling tool, in versions prior to 1.16.0. The flaw exists in the `/projects/upload-example` endpoint, which permits injection of arbitrary HTML via a GET request using a specially crafted `label_config` query parameter. Attackers can supply a maliciously formatted XML label config with inline task data containing HTML/JavaScript, which the endpoint renders without proper sanitization.
The vulnerability enables exploitation over the network with low complexity and no privileges required, though it depends on user interaction, earning a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). An attacker crafts a malicious URL targeting the endpoint and tricks victims into visiting it, leading to arbitrary JavaScript execution in their browsers within the Label Studio context. Although a Content Security Policy is present, its report-only mode renders it ineffective against script execution. Successful attacks can result in theft of sensitive data, session hijacking, or other client-side malicious actions.
Label Studio version 1.16.0 includes a patch addressing the issue. For mitigation details, refer to the GitHub security advisory at https://github.com/HumanSignal/label-studio/security/advisories/GHSA-wpq5-3366-mqw4 and the patching commit at https://github.com/HumanSignal/label-studio/commit/8cf6958e1e27ef6a03ed287e674470975d340885.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4106
Vulnerability details
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label…
more
config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. Version 1.16.0 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing Label Studio web application (/projects/upload-example endpoint) directly enables exploitation of a public-facing application via crafted GET requests with malicious label_config parameters, leading to arbitrary JavaScript execution in the victim's browser.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the crafted label_config query parameter to block injection of malicious HTML/JavaScript into the upload-example endpoint.
Filters and sanitizes the rendered user-provided content from label_config to prevent arbitrary JavaScript execution in victims' browsers.
Ensures timely application of patches like version 1.16.0 to remediate the specific XSS flaw in the endpoint.