Cyber Resilience

CVE-2025-25296

MediumPublic PoC

Published: 14 February 2025

Published
14 February 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2005 95.6th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25296 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Humansignal Label Studio. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-25296 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Label Studio, an open source data labeling tool, in versions prior to 1.16.0. The flaw exists in the `/projects/upload-example` endpoint, which permits injection of arbitrary HTML via a GET request using a specially crafted `label_config` query parameter. Attackers can supply a maliciously formatted XML label config with inline task data containing HTML/JavaScript, which the endpoint renders without proper sanitization.

The vulnerability enables exploitation over the network with low complexity and no privileges required, though it depends on user interaction, earning a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). An attacker crafts a malicious URL targeting the endpoint and tricks victims into visiting it, leading to arbitrary JavaScript execution in their browsers within the Label Studio context. Although a Content Security Policy is present, its report-only mode renders it ineffective against script execution. Successful attacks can result in theft of sensitive data, session hijacking, or other client-side malicious actions.

Label Studio version 1.16.0 includes a patch addressing the issue. For mitigation details, refer to the GitHub security advisory at https://github.com/HumanSignal/label-studio/security/advisories/GHSA-wpq5-3366-mqw4 and the patching commit at https://github.com/HumanSignal/label-studio/commit/8cf6958e1e27ef6a03ed287e674470975d340885.

EU & UK References

Vulnerability details

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label…

more

config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. Version 1.16.0 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The reflected XSS vulnerability in the public-facing Label Studio web application (/projects/upload-example endpoint) directly enables exploitation of a public-facing application via crafted GET requests with malicious label_config parameters, leading to arbitrary JavaScript execution in the victim's browser.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25297Same product: Humansignal Label Studio
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79

Affected Assets

humansignal
label studio
≤ 1.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the crafted label_config query parameter to block injection of malicious HTML/JavaScript into the upload-example endpoint.

prevent

Filters and sanitizes the rendered user-provided content from label_config to prevent arbitrary JavaScript execution in victims' browsers.

prevent

Ensures timely application of patches like version 1.16.0 to remediate the specific XSS flaw in the endpoint.

References